{
"@context": {
"d3f": "http://d3fend.mitre.org/ontologies/d3fend.owl#",
"dbr": "http://dbpedia.org/resource/",
"dc": "http://purl.org/dc/elements/1.1/",
"dcterms": "http://purl.org/dc/terms/",
"owl": "http://www.w3.org/2002/07/owl#",
"rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#",
"rdfs": "http://www.w3.org/2000/01/rdf-schema#",
"skos": "http://www.w3.org/2004/02/skos/core#",
"xml": "http://www.w3.org/XML/1998/namespace",
"xsd": "http://www.w3.org/2001/XMLSchema#"
},
"@graph": [
{
"@id": "d3f:ContainerImage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.\n\nContainer images become containers at runtime and in the case of Docker containers - images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.",
"rdfs:isDefinedBy": {
"@id": "https://www.docker.com/resources/what-container"
},
"rdfs:label": "Container Image",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/objects/image"
},
"rdfs:subClassOf": [
{
"@id": "d3f:ComputingImage"
},
{
"@id": "d3f:SoftwarePackage"
}
]
},
{
"@id": "d3f:Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2021-05-009/"
},
"d3f:kb-abstract": "CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2021-05-009: CertUtil With Decode Argument",
"rdfs:label": "Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITRE"
},
{
"@id": "d3f:ROM",
"@type": "owl:Class",
"d3f:definition": "Read-only memory (ROM) is a type of non-volatile memory used in computers and other electronic devices. Data stored in ROM cannot be electronically modified after the manufacture of the memory device. Read-only memory is useful for storing software that is rarely changed during the life of the system, also known as firmware.",
"d3f:synonym": "Read-only Memory",
"rdfs:isDefinedBy": {
"@id": "https://dbpedia.org/page/Read-only_memory"
},
"rdfs:label": "ROM",
"rdfs:subClassOf": {
"@id": "d3f:PrimaryStorage"
}
},
{
"@id": "d3f:ServiceProvider",
"@type": "owl:Class",
"d3f:definition": "A service provider offers delivery of intangible outputs such as expertise, support, or access to resources to individuals, organizations, or other entities.",
"rdfs:label": "Service Provider",
"rdfs:subClassOf": {
"@id": "d3f:Provider"
}
},
{
"@id": "d3f:WindowsOpenThread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Opens an existing thread object.",
"d3f:invokes": {
"@id": "d3f:WindowsNtOpenThread"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthread"
},
"rdfs:label": "Windows OpenThread",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPITraceThread"
},
{
"@id": "_:N199fc99cfedf4facb117c433ff5ac426"
}
]
},
{
"@id": "_:N199fc99cfedf4facb117c433ff5ac426",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtOpenThread"
}
},
{
"@id": "d3f:may-be-contained-by",
"@type": [
"owl:ObjectProperty",
"owl:TransitiveProperty"
],
"owl:inverseOf": {
"@id": "d3f:may-contain"
},
"rdfs:label": "may-be-contained-by",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:Hostname",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DomainName"
],
"d3f:definition": "In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured.",
"d3f:identifies": {
"@id": "d3f:Host"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Hostname"
},
"rdfs:label": "Hostname",
"rdfs:subClassOf": [
{
"@id": "d3f:Identifier"
},
{
"@id": "_:N5c0663d105ae43a0a1234d20d751b151"
}
],
"skos:altLabel": "Nodename"
},
{
"@id": "_:N5c0663d105ae43a0a1234d20d751b151",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:identifies"
},
"owl:someValuesFrom": {
"@id": "d3f:Host"
}
},
{
"@id": "d3f:Mean",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-MEA",
"d3f:definition": "The sum of all measurements divided by the number of observations in the data set.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
"rdfs:label": "Mean",
"rdfs:subClassOf": {
"@id": "d3f:CentralTendency"
}
},
{
"@id": "d3f:participates-in",
"@type": "owl:ObjectProperty",
"d3f:definition": "x participates-in y: The object x takes part in the event y, signifying that x contributes to or is affected by the event’s occurrence in some way.",
"rdfs:isDefinedBy": {
"@id": "http://purl.obolibrary.org/obo/BFO_0000056"
},
"rdfs:label": "participates-in",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:T1556.009",
"@type": "owl:Class",
"d3f:attack-id": "T1556.009",
"d3f:definition": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.",
"rdfs:label": "Conditional Access Policies",
"rdfs:subClassOf": {
"@id": "d3f:T1556"
}
},
{
"@id": "d3f:CWE-1106",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1106",
"d3f:definition": "The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.",
"rdfs:label": "Insufficient Use of Symbolic Constants",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1078"
}
},
{
"@id": "d3f:WindowsNtDuplicateToken",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "The NtDuplicateToken function creates a handle to a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.",
"rdfs:label": "Windows NtDuplicateToken",
"rdfs:seeAlso": [
{
"@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
},
{
"@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntduplicatetoken"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OSAPICopyToken"
}
},
{
"@id": "d3f:T1496.003",
"@type": "owl:Class",
"d3f:attack-id": "T1496.003",
"d3f:definition": "Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)",
"rdfs:label": "SMS Pumping",
"rdfs:subClassOf": {
"@id": "d3f:T1496"
}
},
{
"@id": "d3f:CWE-780",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-780",
"d3f:definition": "The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.",
"rdfs:label": "Use of RSA Algorithm without OAEP",
"rdfs:subClassOf": {
"@id": "d3f:CWE-327"
}
},
{
"@id": "d3f:T1216.001",
"@type": "owl:Class",
"d3f:attack-id": "T1216.001",
"d3f:definition": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)",
"rdfs:label": "PubPrn",
"rdfs:subClassOf": {
"@id": "d3f:T1216"
}
},
{
"@id": "d3f:OTErrorMessage",
"@type": "owl:Class",
"d3f:definition": "An anticipated, reproducible defect occurred within the system.",
"rdfs:comment": "BACnet: Error: 1\nBACnet: Error: 2\nBACnet: Error: 3\nBACnet: Error: 4\nBACnet: Error: 5\nBACnet: Error: 6\nBACnet: Error: 7\nBACnet: Error: 8",
"rdfs:label": "OT Error Message",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTDiagnosticsMessage"
}
},
{
"@id": "d3f:T1069",
"@type": "owl:Class",
"d3f:attack-id": "T1069",
"d3f:definition": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
"rdfs:label": "Permission Groups Discovery",
"rdfs:subClassOf": {
"@id": "d3f:DiscoveryTechnique"
}
},
{
"@id": "d3f:TA0043",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.",
"d3f:display-order": -1,
"rdfs:label": "Reconnaissance",
"rdfs:subClassOf": [
{
"@id": "d3f:ATTACKEnterpriseTactic"
},
{
"@id": "d3f:OffensiveTactic"
}
]
},
{
"@id": "d3f:CWE-1109",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1109",
"d3f:definition": "The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.",
"rdfs:label": "Use of Same Variable for Multiple Purposes",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1078"
}
},
{
"@id": "d3f:CloudStorage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Cloud storage is storage held within a computing cloud.",
"rdfs:isDefinedBy": {
"@id": "dbr:Cloud_storage"
},
"rdfs:label": "Cloud Storage",
"rdfs:seeAlso": {
"@id": "dbr:Cloud_computing"
},
"rdfs:subClassOf": {
"@id": "d3f:SecondaryStorage"
}
},
{
"@id": "d3f:ProbabilisticLogic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PL",
"d3f:definition": "Probabilistic logic extends traditional logic truth tables with probabilistic expressions.",
"d3f:kb-article": "## References\n1. Probabilistic logic. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Probabilistic_logic)",
"rdfs:label": "Probabilistic Logic",
"rdfs:subClassOf": {
"@id": "d3f:SymbolicAI"
}
},
{
"@id": "d3f:IOPortRestriction",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IOPortRestriction"
],
"d3f:d3fend-id": "D3-IOPR",
"d3f:definition": "Limiting access to computer input/output (IO) ports to restrict unauthorized devices.",
"d3f:filters": [
{
"@id": "d3f:InputDevice"
},
{
"@id": "d3f:RemovableMediaDevice"
}
],
"d3f:kb-article": "## How It works\n\nSoftware-based restriction uses agent software installed on a computer system. The agent software monitors all IO port system traffic. The agent software is configurable to limit the use of certain devices connected to IO ports. The restriction software can also be configured to limit the access to files and applications on external storage devices connected to IO ports.\n\nHardware-based restriction can also be employed to limit access to IO ports. For example, a hardware USB filter device that is placed between the host system and the external devices can filter IO port connections based on configurable rules. When new devices are connected to the USB filter the type of device is determined. Using an allow list a connection determination is made for the device.\n\nSome implementations detect when a device is connected in order to authorize the connection against a list of approved devices, in some cases by device type. For example, if the device is determined to be a storage device, then the contained files and executables are examined to more accurately identify the device type.\n\nTypes of restrictions that may be applied:\n- Device connection\n- Device command filtering\n- Device file system read or write restrictions\n\n## Considerations\n * Agent software will need to be installed on host systems\n * Configurations for allow/deny for devices and files will need to be maintained",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-ComputerMotherboardHavingPeripheralSecurityFunctions"
},
{
"@id": "d3f:Reference-MethodAndSystemForControllingCommunicationPorts"
},
{
"@id": "d3f:Reference-USBFilterForHubMaliciousCodePreventionSystem"
}
],
"rdfs:label": "IO Port Restriction",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessMediation"
},
{
"@id": "_:N03aab222c5b549558d612df43f08db19"
},
{
"@id": "_:Nac911206556949dabdeb60e6967efc33"
}
]
},
{
"@id": "_:N03aab222c5b549558d612df43f08db19",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:InputDevice"
}
},
{
"@id": "_:Nac911206556949dabdeb60e6967efc33",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:RemovableMediaDevice"
}
},
{
"@id": "d3f:T1222.001",
"@type": "owl:Class",
"d3f:attack-id": "T1222.001",
"d3f:definition": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).",
"rdfs:label": "Windows File and Directory Permissions Modification",
"rdfs:subClassOf": {
"@id": "d3f:T1222"
}
},
{
"@id": "d3f:CWE-183",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-183",
"d3f:definition": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.",
"d3f:synonym": [
"Allowlist / Allow List",
"Safelist / Safe List",
"Whitelist / White List"
],
"rdfs:label": "Permissive List of Allowed Inputs",
"rdfs:subClassOf": {
"@id": "d3f:CWE-697"
}
},
{
"@id": "d3f:DistributionProperties",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DP",
"d3f:definition": "The properties derived from a probability distribution.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)",
"rdfs:label": "Distribution Properties",
"rdfs:subClassOf": {
"@id": "d3f:DescriptiveStatistics"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_1",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Least Privilege | Authorize Access to Security Functions",
"d3f:exactly": {
"@id": "d3f:SystemConfigurationPermissions"
},
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-6(1)"
},
{
"@id": "d3f:SystemSoftware",
"@type": "owl:Class",
"d3f:definition": "Computer software which enables operating system or platform functionality.",
"rdfs:label": "System Software",
"rdfs:subClassOf": {
"@id": "d3f:Software"
}
},
{
"@id": "d3f:ThinClientComputer",
"@type": "owl:Class",
"d3f:definition": "A thin client is a lightweight computer that has been optimized for establishing a remote connection with a server-based computing environment. The server does most of the work, which can include launching software programs, performing calculations, and storing data. This contrasts with a fat client or a conventional personal computer; the former is also intended for working in a client-server model but has significant local processing power, while the latter aims to perform its function mostly locally. Thin clients are shared computers as the thin client's computing resources are provided by a remote server.",
"rdfs:isDefinedBy": {
"@id": "dbr:Thin_client"
},
"rdfs:label": "Thin Client Computer",
"rdfs:subClassOf": {
"@id": "d3f:SharedComputer"
}
},
{
"@id": "d3f:CWE-235",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-235",
"d3f:definition": "The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.",
"rdfs:label": "Improper Handling of Extra Parameters",
"rdfs:subClassOf": {
"@id": "d3f:CWE-233"
}
},
{
"@id": "d3f:OTSetTimeCommand",
"@type": "owl:Class",
"d3f:definition": "Set timing mechanisms.",
"rdfs:label": "OT Set Time Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTTimeCommand"
}
},
{
"@id": "d3f:CWE-57",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-57",
"d3f:definition": "The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.",
"rdfs:label": "Path Equivalence: 'fakedir/../realdir/filename'",
"rdfs:subClassOf": {
"@id": "d3f:CWE-41"
}
},
{
"@id": "d3f:CCI-001118_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:NetworkIsolation"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001118"
},
{
"@id": "d3f:T1552.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:PrivateKey"
},
"d3f:attack-id": "T1552.004",
"d3f:definition": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.",
"rdfs:label": "Private Keys",
"rdfs:subClassOf": [
{
"@id": "d3f:T1552"
},
{
"@id": "_:N42d4b39e9de74f0eb67ed9477a3326be"
}
]
},
{
"@id": "_:N42d4b39e9de74f0eb67ed9477a3326be",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:PrivateKey"
}
},
{
"@id": "d3f:SuspendProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:suspends": {
"@id": "d3f:Process"
},
"rdfs:label": "Suspend Process",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Nbc9de016fe35411297052b5cadee252d"
}
]
},
{
"@id": "_:Nbc9de016fe35411297052b5cadee252d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:suspends"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:CCI-002211_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002211"
},
{
"@id": "d3f:AverageAbsoluteDeviation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-AAD",
"d3f:definition": "The average absolute deviation (AAD) of a data set is the average of the absolute deviations from a central point.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)",
"rdfs:label": "Average Absolute Deviation",
"rdfs:subClassOf": {
"@id": "d3f:Variability"
}
},
{
"@id": "d3f:CWE-284",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-284",
"d3f:definition": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"d3f:synonym": "Authorization",
"rdfs:label": "Improper Access Control",
"rdfs:subClassOf": {
"@id": "d3f:Weakness"
}
},
{
"@id": "d3f:CWE-1039",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1039",
"d3f:definition": "The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.",
"rdfs:label": [
"Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
"Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism"
],
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-693"
},
{
"@id": "d3f:CWE-697"
}
]
},
{
"@id": "d3f:T1590.004",
"@type": "owl:Class",
"d3f:attack-id": "T1590.004",
"d3f:definition": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.",
"rdfs:label": "Network Topology",
"rdfs:subClassOf": {
"@id": "d3f:T1590"
}
},
{
"@id": "d3f:CWE-638",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-638",
"d3f:definition": "The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.",
"rdfs:label": "Not Using Complete Mediation",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-657"
},
{
"@id": "d3f:CWE-862"
}
]
},
{
"@id": "d3f:Reference-MethodAndSystemForControllingCommunicationPorts",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US8566924"
},
"d3f:kb-abstract": "A method for limiting devices and controlling the applications executed from USB ports on personal computers (PCs).",
"d3f:kb-author": "Steven V Bacastow",
"d3f:kb-organization": "OL Security LLC",
"d3f:kb-reference-of": {
"@id": "d3f:IOPortRestriction"
},
"d3f:kb-reference-title": "Method and system for controlling communication ports",
"rdfs:label": "Reference - Method and system for controlling communication ports"
},
{
"@id": "d3f:InternationalizedDomainName",
"@type": [
"owl:NamedIndividual",
"d3f:DomainName"
],
"rdfs:label": "Internationalized Domain Name"
},
{
"@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patentimages.storage.googleapis.com/a9/40/78/713c8deb2c4c7a/US20190268352A1.pdf"
},
"d3f:kb-abstract": "A Content Disarm and Reconstruction ( CDR ) method is disclosed including a computer receiving an input file hav ing a file format configured with a structured storage. The computer disassembles the structured storage into at least one subfile . Each subfile is a stream subfile . For each subfile , the computer identifies an item in the stream subfile . The computer analyzes the item in the stream subfile for an unwanted behavior by determining an acceptability of the unwanted behavior , distinguishing a visibility of the item , and recognizing a necessity of the item . The computer , based on a result of the analyzing step , processes the item in the stream subfile resulting in a processed subfile . The computer assembles the processed subfiles into an output file having the same file format as the file format as the input file .",
"d3f:kb-author": "Taeil Goh, Vinh Nguyen Xuan Lam, Nhut Minh Ngo, Dung Huu Nguyen",
"d3f:kb-organization": "OPSWAT, Inc.",
"d3f:kb-reference-of": [
{
"@id": "d3f:ContentExcision"
},
{
"@id": "d3f:ContentFiltering"
},
{
"@id": "d3f:ContentFormatConversion"
},
{
"@id": "d3f:ContentModification"
},
{
"@id": "d3f:ContentRebuild"
},
{
"@id": "d3f:ContentSubstitution"
}
],
"d3f:kb-reference-title": "Method For Content Disarm and Reconstruction",
"rdfs:label": "Reference - Method For Content Disarm and Reconstruction - OPSWAT Inc"
},
{
"@id": "d3f:Reference-CNNSI-4009",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf"
},
"d3f:kb-abstract": "[The CNSS Glossary is a jointly curated glossary of terms for National Security Systems by DoD, IC, and Civil Agencies (e.g., NIST)",
"d3f:kb-organization": "Committee on National Security Systems (CNSS)",
"d3f:kb-reference-of": {
"@id": "d3f:PhysicalAccessMediation"
},
"d3f:kb-reference-title": "Committee on National Security Systems (CNSS) Glossary",
"rdfs:label": "Reference - Committee on National Security Systems (CNSS) Glossary"
},
{
"@id": "d3f:JavascriptFile",
"@type": [
"owl:NamedIndividual",
"d3f:ExecutableScript"
],
"rdfs:label": "Javascript File"
},
{
"@id": "d3f:T1213.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1213.003",
"d3f:definition": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.",
"d3f:reads": {
"@id": "d3f:CodeRepository"
},
"rdfs:label": "Code Repositories",
"rdfs:subClassOf": [
{
"@id": "d3f:T1213"
},
{
"@id": "_:Nfb21cc01997d43e8bffa473ae7fa8c58"
}
]
},
{
"@id": "_:Nfb21cc01997d43e8bffa473ae7fa8c58",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:reads"
},
"owl:someValuesFrom": {
"@id": "d3f:CodeRepository"
}
},
{
"@id": "d3f:CWE-95",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-95",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\").",
"rdfs:label": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-94"
}
},
{
"@id": "d3f:PatentReference",
"@type": "owl:Class",
"d3f:pref-label": "Patent",
"rdfs:label": "Patent Reference",
"rdfs:subClassOf": {
"@id": "d3f:TechniqueReference"
}
},
{
"@id": "d3f:T1149",
"@type": "owl:Class",
"d3f:attack-id": "T1149",
"d3f:definition": "**This technique has been deprecated and should no longer be used.**",
"owl:deprecated": true,
"rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
"rdfs:label": "LC_MAIN Hijacking",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:Reference-UseRkillToStopMalwareProcesses-Ghacks.net",
"@type": [
"owl:NamedIndividual",
"d3f:TechniqueReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.ghacks.net/2011/07/29/use-rkill-to-stop-malware-processes/"
},
"d3f:kb-author": "Melanie Gross",
"d3f:kb-organization": "ghacks.net",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessTermination"
},
"d3f:kb-reference-title": "Use Rkill to Stop Malware Processes",
"rdfs:label": "Reference - Use Rkill to Stop Malware Processes - ghacks.net"
},
{
"@id": "d3f:Reference-SystemAndMethodForNetworkSecurityIncludingDetectionOfAttacksThroughPartnerWebsites_EMCIPHoldingCoLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20110302653A1/en?oq=US+20110302653+A1"
},
"d3f:kb-abstract": "A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation.",
"d3f:kb-author": "Matt Frantz; Andreas Wittenstein; Mike Eynon; Laura Mather; Jim Lloyd; James Schumacher; Duane Murphy",
"d3f:kb-mitre-analysis": "This patent describes a technique for detecting man-in-the-browser attacks. Current user session data is compared with the average user session that is based on collected data representing average values across all user sessions over a data-collection period. User session data includes average time between clicks and the order in which website pages are viewed. The comparisons are combined to generate a score that indicates the likelihood that the current session is a man-in-the-browser attack.",
"d3f:kb-organization": "EMC IP Holding Co LLC",
"d3f:kb-reference-of": {
"@id": "d3f:WebSessionActivityAnalysis"
},
"d3f:kb-reference-title": "System and Method for Network Security Including Detection of Attacks Through Partner Websites",
"rdfs:label": "Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLC"
},
{
"@id": "d3f:AccessDeniedEvent",
"@type": "owl:Class",
"d3f:definition": "An event indicating the refusal of access to a resource, where an access request has been evaluated and denied based on current authorization policies, preventing operations by the requesting agent.",
"rdfs:label": "Access Denied Event",
"rdfs:subClassOf": {
"@id": "d3f:AccessMediationEvent"
}
},
{
"@id": "d3f:IPReputationAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IPReputationAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:IPAddress"
},
"d3f:d3fend-id": "D3-IPRA",
"d3f:definition": "Analyzing the reputation of an IP address.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages"
},
{
"@id": "d3f:Reference-Finding_phishing_sites"
}
],
"rdfs:label": "IP Reputation Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:IdentifierReputationAnalysis"
},
{
"@id": "_:Nf38e2e06b1604239a5292c1edf5f2a4a"
}
]
},
{
"@id": "_:Nf38e2e06b1604239a5292c1edf5f2a4a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:IPAddress"
}
},
{
"@id": "d3f:CWE-333",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-333",
"d3f:definition": "True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.",
"rdfs:label": "Improper Handling of Insufficient Entropy in TRNG",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-331"
},
{
"@id": "d3f:CWE-703"
},
{
"@id": "d3f:CWE-755"
}
]
},
{
"@id": "d3f:T1588.006",
"@type": "owl:Class",
"d3f:attack-id": "T1588.006",
"d3f:definition": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)",
"rdfs:label": "Vulnerabilities",
"rdfs:subClassOf": {
"@id": "d3f:T1588"
}
},
{
"@id": "d3f:CCI-000185_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:CredentialHardening"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-15T00:00:00"
},
"rdfs:label": "CCI-000185"
},
{
"@id": "d3f:CWE-1301",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1301",
"d3f:definition": "The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.",
"rdfs:label": "Insufficient or Incomplete Data Removal within Hardware Component",
"rdfs:subClassOf": {
"@id": "d3f:CWE-226"
}
},
{
"@id": "d3f:CWE-685",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-685",
"d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.",
"rdfs:label": "Function Call With Incorrect Number of Arguments",
"rdfs:subClassOf": {
"@id": "d3f:CWE-628"
}
},
{
"@id": "d3f:M1019",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:d3fend-comment": "Establishing and running a Threat Intelligence Program is outside the scope of D3FEND.",
"rdfs:label": "Threat Intelligence Program"
},
{
"@id": "d3f:CWE-776",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-776",
"d3f:definition": "The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.",
"d3f:synonym": [
"Billion Laughs Attack",
"XEE",
"XML Bomb"
],
"rdfs:label": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-405"
},
{
"@id": "d3f:CWE-674"
}
]
},
{
"@id": "d3f:ApplicationEvent",
"@type": "owl:Class",
"d3f:definition": "An event that captures the behavior, state, or interactions of software applications or services operating within a system. Application events encompass lifecycle changes, configuration updates, and operational anomalies, providing insight into the health and performance of software components.",
"rdfs:label": "Application Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/application_lifecycle"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalEvent"
},
{
"@id": "_:Nc40014aabb9744bc9a72976690c38850"
}
]
},
{
"@id": "_:Nc40014aabb9744bc9a72976690c38850",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:Application"
}
},
{
"@id": "d3f:T1550.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:adds": {
"@id": "d3f:SessionCookie"
},
"d3f:attack-id": "T1550.004",
"d3f:definition": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)",
"d3f:produces": {
"@id": "d3f:WebNetworkTraffic"
},
"rdfs:label": "Web Session Cookie",
"rdfs:subClassOf": [
{
"@id": "d3f:T1550"
},
{
"@id": "_:Ncd0ae9ce8ac249c2aa90450dd0a587a6"
},
{
"@id": "_:N3972df990dea4fd9a262148877ac14e7"
}
]
},
{
"@id": "_:Ncd0ae9ce8ac249c2aa90450dd0a587a6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:adds"
},
"owl:someValuesFrom": {
"@id": "d3f:SessionCookie"
}
},
{
"@id": "_:N3972df990dea4fd9a262148877ac14e7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:WebNetworkTraffic"
}
},
{
"@id": "d3f:T1027.016",
"@type": "owl:Class",
"d3f:attack-id": "T1027.016",
"d3f:definition": "Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)",
"rdfs:label": "Junk Code Insertion",
"rdfs:subClassOf": {
"@id": "d3f:T1027"
}
},
{
"@id": "d3f:validated-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x validated-by y: The digital artifact x has its authenticity and correctness confirmed or verified by the technique, operation, or agent y.",
"rdfs:label": "validated-by",
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:hardens"
}
]
},
{
"@id": "d3f:CWE-209",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-209",
"d3f:definition": "The product generates an error message that includes sensitive information about its environment, users, or associated data.",
"rdfs:label": "Generation of Error Message Containing Sensitive Information",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-200"
},
{
"@id": "d3f:CWE-755"
}
]
},
{
"@id": "d3f:PreAuthenticationEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing preparatory steps or processes conducted prior to the primary authentication operation. Pre-authentication often involves initial protocol exchanges, cryptographic challenges, or the validation of supplemental factors (e.g., pre-shared keys) to ensure the readiness and security of the authentication workflow.",
"rdfs:label": "Pre-Authentication Event",
"rdfs:subClassOf": [
{
"@id": "d3f:AuthenticationEvent"
},
{
"@id": "_:Ne23846a139214198a238478939456ed9"
}
]
},
{
"@id": "_:Ne23846a139214198a238478939456ed9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:precedes"
},
"owl:someValuesFrom": {
"@id": "d3f:Authentication"
}
},
{
"@id": "d3f:DS0023",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it",
"d3f:exactly": {
"@id": "d3f:NamedPipe"
},
"rdfs:label": "Named Pipe (ATT&CK DS)"
},
{
"@id": "d3f:Correlation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-COR",
"d3f:definition": "Correlation is the degree to which two or more quantities are linearly associated.",
"d3f:kb-article": "Wolfram MathWorld. (n.d.). Correlation. [Link](https://mathworld.wolfram.com/Correlation.html)",
"rdfs:label": "Correlation",
"rdfs:subClassOf": {
"@id": "d3f:DescriptiveStatistics"
}
},
{
"@id": "d3f:DataArtifactServer",
"@type": "owl:Class",
"d3f:definition": "A data artifact server provides access services to content in a content repository. The content repository or content store is a database of digital content with an associated set of data management, search and access methods allowing application-independent access to the content, rather like a digital library, but with the ability to store and modify content in addition to searching and retrieving. The content repository acts as the storage engine for a larger application such as a content management system or a document management system, which adds a user interface on top of the repository's application programming interface.",
"rdfs:label": "Data Artifact Server",
"rdfs:seeAlso": {
"@id": "dbr:Content_repository"
},
"rdfs:subClassOf": {
"@id": "d3f:ArtifactServer"
}
},
{
"@id": "d3f:CWE-273",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-273",
"d3f:definition": "The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.",
"rdfs:label": "Improper Check for Dropped Privileges",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-271"
},
{
"@id": "d3f:CWE-754"
}
]
},
{
"@id": "d3f:ReverseResolutionIPDenylisting",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ReverseResolutionIPDenylisting"
],
"d3f:blocks": {
"@id": "d3f:OutboundInternetDNSLookupTraffic"
},
"d3f:d3fend-id": "D3-RRID",
"d3f:definition": "Blocking a reverse lookup based on the query's IP address value.",
"d3f:kb-article": "## How it works\nThis technique prevents a client from learning domains deemed to be potentially malicious, which would have been delivered via reverse resolution responses over the DNS protocol.\n\nQueries for reverse resolution requests (that is, requests where IP(s) are sent and a domain is returned) are collected, and the IP address(es) included in the query are examined. If the IP address(es) are in a range included in the blacklist, then the query is dropped.\n\n## Considerations\n- The blacklist will have to be maintained and will need to be kept up to date with identified maintenance cycles to ensure lists are not stale.\n- DNS query traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS query IP address value(s).\n - DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.\n - Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS queries. These protocols have often been enabled in browser settings transparently after a browser update, with DNS queries proxied over one of these cryptographic protocols through a specified host.",
"d3f:kb-reference": {
"@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries"
},
"d3f:synonym": "Reverse Resolution IP Blacklisting",
"rdfs:label": "Reverse Resolution IP Denylisting",
"rdfs:subClassOf": [
{
"@id": "d3f:DNSDenylisting"
},
{
"@id": "_:N6981a9ab549041189201bcdbc9d0e9ac"
}
]
},
{
"@id": "_:N6981a9ab549041189201bcdbc9d0e9ac",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:blocks"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetDNSLookupTraffic"
}
},
{
"@id": "d3f:ATTACKMergedThing",
"@type": "owl:Class",
"rdfs:label": "ATTACK Merged Thing",
"rdfs:subClassOf": {
"@id": "d3f:ATTACKThing"
}
},
{
"@id": "d3f:T1102.001",
"@type": "owl:Class",
"d3f:attack-id": "T1102.001",
"d3f:definition": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.",
"rdfs:label": "Dead Drop Resolver",
"rdfs:subClassOf": {
"@id": "d3f:T1102"
}
},
{
"@id": "d3f:T1671",
"@type": "owl:Class",
"d3f:attack-id": "T1671",
"d3f:definition": "Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.(Citation: Push Security SaaS Persistence 2022)(Citation: SaaS Attacks GitHub Evil Twin Integrations)",
"rdfs:label": "Cloud Application Integration",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "http://nsl.cs.columbia.edu/projects/minestrone/papers/Symbiotes.pdf"
},
"d3f:kb-abstract": "A large number of embedded devices on the internet, such as\nrouters and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed\nto inject intrusion detection functionality into the firmware of the device.",
"d3f:kb-author": "Ang Cui, Salvatore J. Stolfo",
"d3f:kb-organization": "Department of Computer Science Columbia University",
"d3f:kb-reference-of": {
"@id": "d3f:FirmwareEmbeddedMonitoringCode"
},
"d3f:kb-reference-title": "Defending Embedded Systems with Software Symbiotes",
"rdfs:label": "Reference - Firmware Embedded Monitoring Code Symbiotes"
},
{
"@id": "d3f:OutboundInternetEncryptedWebTraffic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Outbound internet encrypted web traffic is network traffic using a standard web protocol on an outgoing connection initiated from a host within a network to a host outside the network.",
"rdfs:label": "Outbound Internet Encrypted Web Traffic",
"rdfs:seeAlso": {
"@id": "dbr:Internetworking"
},
"rdfs:subClassOf": [
{
"@id": "d3f:OutboundInternetEncryptedTraffic"
},
{
"@id": "d3f:OutboundInternetWebTraffic"
}
]
},
{
"@id": "d3f:CWE-464",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-464",
"d3f:definition": "The accidental addition of a data-structure sentinel can cause serious programming logic problems.",
"rdfs:label": "Addition of Data Structure Sentinel",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:semantic-relation",
"@type": "owl:ObjectProperty",
"d3f:definition": "x semantic-relation y: The entity x is conceptually or meaningfully connected to entity y.",
"rdfs:label": "semantic-relation",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:WindowsRegistryKey",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Windows Registry Keys are container objects similar to folders that contain subkeys and/or data entries called values. A key can be a 'Registry Hive' when it is root key of a logical group of keys, subkeys, and values that has a set of supporting files loaded into memory when the operating system is started or a user logs in.",
"d3f:may-contain": [
{
"@id": "d3f:WindowsRegistryKey"
},
{
"@id": "d3f:WindowsRegistryValue"
}
],
"rdfs:isDefinedBy": [
{
"@id": "http://dbpedia.org/resource/Windows_Registry#Keys_and_values"
},
{
"@id": "https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry"
}
],
"rdfs:label": "Windows Registry Key",
"rdfs:seeAlso": [
{
"@id": "https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-hives"
},
{
"@id": "https://schema.ocsf.io/objects/registry_key"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
{
"@id": "_:Ne26b9e8e50a2418b81547acc541dd192"
},
{
"@id": "_:N728c06fea5bb455aaffb3451d41e9f33"
},
{
"@id": "_:N6bb69409676b44d89111827912ad116c"
}
]
},
{
"@id": "_:Ne26b9e8e50a2418b81547acc541dd192",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryKey"
}
},
{
"@id": "_:N728c06fea5bb455aaffb3451d41e9f33",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryValue"
}
},
{
"@id": "_:N6bb69409676b44d89111827912ad116c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:windows-registry-key"
},
"owl:someValuesFrom": {
"@id": "xsd:string"
}
},
{
"@id": "d3f:ATTACKEnterpriseDataSource",
"@type": "owl:Class",
"rdfs:label": "ATTACK Enterprise Data Source",
"rdfs:subClassOf": {
"@id": "d3f:ATTACKEnterpriseThing"
}
},
{
"@id": "d3f:SuspendThread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Suspending a thread causes the thread to stop executing user-mode code.",
"d3f:suspends": {
"@id": "d3f:Thread"
},
"rdfs:label": "Suspend Thread",
"rdfs:seeAlso": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread"
},
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Nc9eabf6cee3e4707ab4c9e75b77d43a8"
}
]
},
{
"@id": "_:Nc9eabf6cee3e4707ab4c9e75b77d43a8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:suspends"
},
"owl:someValuesFrom": {
"@id": "d3f:Thread"
}
},
{
"@id": "d3f:UnloadLibraryEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a process unloads a dynamically linked library or module, reducing its memory footprint or functionality.",
"rdfs:label": "Unload Library Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessEvent"
},
{
"@id": "_:Nc9f017a5c1b143cb806dea6b9022f91a"
},
{
"@id": "_:N985827cc07dc4c0296eaca5639508dbd"
}
]
},
{
"@id": "_:Nc9f017a5c1b143cb806dea6b9022f91a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "_:N985827cc07dc4c0296eaca5639508dbd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:LoadLibraryEvent"
}
},
{
"@id": "d3f:CCI-001936_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:Multi-factorAuthentication"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-05-03T00:00:00"
},
"rdfs:label": "CCI-001936"
},
{
"@id": "d3f:T1583.002",
"@type": "owl:Class",
"d3f:attack-id": "T1583.002",
"d3f:definition": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.",
"rdfs:label": "DNS Server",
"rdfs:subClassOf": {
"@id": "d3f:T1583"
}
},
{
"@id": "d3f:Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-11-005/"
},
"d3f:kb-abstract": "Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-11-005: Clear Powershell Console Command History",
"rdfs:label": "Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITRE"
},
{
"@id": "d3f:Reference-Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20150052603A1"
},
"d3f:kb-abstract": "An anti-tamper system is disclosed that includes self-adjusting guards inserted in software. Self-adjusting guards include invocation criteria and guard function. During run-time, each time the self-adjusting guard is invoked, the invocation criteria is evaluated and the guard function is only executed if the invocation criteria is satisfied. The invocation criteria can be static or dynamic, satisfied randomly with fixed or varying probability, a monotonically or exponentially decreasing function or most any other type of function. The invocation criteria can be satisfied based on elapsed inter-guard invocation time (time since last guard function execution), target inter-guard invocation time, and/or guard execution time. A method is disclosed of inserting self-adjusting guards into software, and executing the software. Evaluating the invocation criteria can include adjusting the invocation criteria when satisfied. The self-adjusting guards can be inserted into the software at a source or object code level.",
"d3f:kb-author": "Kevin Dale Morgan",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "ARXAN TECHNOLOGIES Inc",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessCodeSegmentVerification"
},
"d3f:kb-reference-title": "Anti-tamper system with self-adjusting guards",
"rdfs:label": "Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Inc"
},
{
"@id": "d3f:T1136.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1136.002",
"d3f:creates": {
"@id": "d3f:DomainUserAccount"
},
"d3f:definition": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)",
"rdfs:label": "Domain Account",
"rdfs:subClassOf": [
{
"@id": "d3f:T1136"
},
{
"@id": "_:Nbe72224e275c4b159db5056ac3c89961"
}
]
},
{
"@id": "_:Nbe72224e275c4b159db5056ac3c89961",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:DomainUserAccount"
}
},
{
"@id": "d3f:SoftwarePackage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A Software Package is a bundled collection of files, code, and metadata that provides functionality, libraries, or applications.",
"rdfs:label": "Software Package",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/objects/package"
},
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:produces",
"@type": "owl:ObjectProperty",
"d3f:definition": "x produces y: The subject entity x or process produces a data object y, which may be discrete digital object or a stream (e.g., a stream such as network traffic.)",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/01625832-v"
},
"rdfs:label": "produces",
"rdfs:seeAlso": {
"@id": "d3f:creates"
},
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:may-produce"
}
],
"skos:altLabel": "outputs"
},
{
"@id": "d3f:expectation-rating",
"@type": "owl:DatatypeProperty",
"rdfs:label": "expectation-rating",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-catalog-data-property"
}
},
{
"@id": "d3f:CWE-827",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-827",
"d3f:definition": "The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.",
"rdfs:label": "Improper Control of Document Type Definition",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-706"
},
{
"@id": "d3f:CWE-829"
}
]
},
{
"@id": "d3f:CCI-002716_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:FileHashing"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to software.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002716"
},
{
"@id": "d3f:Reference-ServiceOutlierExecutables_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2013-09-005/"
},
"d3f:kb-abstract": "New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.",
"d3f:kb-author": "",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessLineageAnalysis"
},
"d3f:kb-reference-title": "CAR-2013-09-005: Service Outlier Executables",
"rdfs:label": "Reference - CAR-2013-09-005: Service Outlier Executables - MITRE"
},
{
"@id": "d3f:AccessMediationEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving the intermediary control mechanism that evaluates access requests and enforces access control decisions, ensuring that subjects' resource interactions comply with the established access policies.",
"rdfs:label": "Access Mediation Event",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessControlEvent"
},
{
"@id": "_:Nd977d7b2726344179358f0182b316786"
}
],
"skos:altLabel": "Access Enforcement Event"
},
{
"@id": "_:Nd977d7b2726344179358f0182b316786",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessMediator"
}
},
{
"@id": "d3f:CWE-64",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-64",
"d3f:definition": "The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
"d3f:synonym": [
"Windows symbolic link following",
"symlink"
],
"rdfs:label": "Windows Shortcut Following (.LNK)",
"rdfs:subClassOf": {
"@id": "d3f:CWE-59"
}
},
{
"@id": "d3f:T1592.001",
"@type": "owl:Class",
"d3f:attack-id": "T1592.001",
"d3f:definition": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).",
"rdfs:label": "Hardware",
"rdfs:subClassOf": {
"@id": "d3f:T1592"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-14_2",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Session Audit | Capture and Record Content",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:LocalAccountMonitoring"
},
"rdfs:label": "AU-14(2)"
},
{
"@id": "d3f:ActivePhysicalLinkMapping",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ActivePhysicalLinkMapping"
],
"d3f:d3fend-id": "D3-APLM",
"d3f:definition": "Active physical link mapping sends and receives network traffic as a means to map the physical layer.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices"
},
{
"@id": "d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps"
}
],
"d3f:may-query": {
"@id": "d3f:NetworkAgent"
},
"d3f:synonym": "Active Physical Layer Mapping",
"owl:disjointWith": {
"@id": "d3f:DirectPhysicalLinkMapping"
},
"rdfs:label": "Active Physical Link Mapping",
"rdfs:subClassOf": [
{
"@id": "d3f:PhysicalLinkMapping"
},
{
"@id": "_:N14daca78e9f1499da6a21d99c807bf73"
}
]
},
{
"@id": "_:N14daca78e9f1499da6a21d99c807bf73",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-query"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkAgent"
}
},
{
"@id": "d3f:FileRenamingEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the renaming of a file, modifying its identifier within the file system while retaining its content and metadata.",
"rdfs:label": "File Renaming Event",
"rdfs:subClassOf": [
{
"@id": "d3f:FileEvent"
},
{
"@id": "_:N152dbacd05134607a68d391947117f3d"
},
{
"@id": "_:N5408955bedc9463da9d74b1b20fcb749"
}
]
},
{
"@id": "_:N152dbacd05134607a68d391947117f3d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:FileAccessEvent"
}
},
{
"@id": "_:N5408955bedc9463da9d74b1b20fcb749",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:FileCreationEvent"
}
},
{
"@id": "d3f:ServiceEnableEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the activation of a service application, allowing it to start and provide its background or networked functionality.",
"rdfs:label": "Service Enable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ApplicationEnableEvent"
},
{
"@id": "d3f:ServiceEvent"
},
{
"@id": "_:Nbfd49f36d15c4851bb7a5a735b8cdaab"
}
]
},
{
"@id": "_:Nbfd49f36d15c4851bb7a5a735b8cdaab",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceInstallationEvent"
}
},
{
"@id": "d3f:EncryptedCredential",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A credential that is encrypted.",
"rdfs:label": "Encrypted Credential",
"rdfs:subClassOf": {
"@id": "d3f:Credential"
}
},
{
"@id": "d3f:CWE-940",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-940",
"d3f:definition": "The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.",
"rdfs:label": "Improper Verification of Source of a Communication Channel",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-346"
},
{
"@id": "d3f:CWE-923"
}
]
},
{
"@id": "d3f:employed-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x employed-by y: An entity x is put into service by a technique or agent y. Inverse of y employs x.",
"owl:inverseOf": {
"@id": "d3f:employs"
},
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/01161188-v"
},
"rdfs:label": "employed-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:CustomArchiveFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A custom archive file is an archive file conforming to a custom format; that is, an archive file that does not conform to a common standard.",
"rdfs:label": "Custom Archive File",
"rdfs:subClassOf": {
"@id": "d3f:ArchiveFile"
}
},
{
"@id": "d3f:DS0033",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)",
"rdfs:comment": "This data source captures events relating to shared network resources and therefore has no direct mappings to digital artifacts.",
"rdfs:label": "Network Share (ATT&CK DS)"
},
{
"@id": "d3f:Reference-CAR-2020-09-002%3AComponentObjectModelHijacking_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-09-002/"
},
"d3f:kb-abstract": "Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\\Software\\Classes\\CLSID or HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID keys. Accordingly, this analytic looks for any changes under these keys.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:UserSessionInitConfigAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-09-002: Component Object Model Hijacking",
"rdfs:label": "Reference - CAR-2020-09-002: Component Object Model Hijacking - MITRE"
},
{
"@id": "d3f:T1055.015",
"@type": "owl:Class",
"d3f:attack-id": "T1055.015",
"d3f:definition": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.",
"rdfs:label": "ListPlanting",
"rdfs:subClassOf": {
"@id": "d3f:T1055"
}
},
{
"@id": "d3f:Reference-TrustedCommunicationsWithChildProcesses_MicrosoftTechnologyLicensingLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20120174210A1"
},
"d3f:kb-abstract": "A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.",
"d3f:kb-author": "Kedarnath Atmaram Dubhashi, Jonathan D. Schwartz, Sambavi Muthukrishnan, Simon Skaria",
"d3f:kb-mitre-analysis": "This patent describes a technique for detecting malicious processes that claim to be the child process of a legitimate parent process. During the spawning of a child process, a child process identifier is generated. The child process identifier is a unique identifier that can be used to identify a child process. The child process identifier is transmitted by the security system of the operating system to the parent process. The parent process keeps track of the child process identifier. When a new child-initiated communications request is received by the parent process, the parent process checks if the requesting child process identifier and the child process identifier that the parent process is tracking are the same. If the identifiers are not the same, the parent process refuses the request.",
"d3f:kb-organization": "Microsoft Technology Licensing LLC",
"d3f:kb-reference-title": "Trusted Communications With Child Processes",
"rdfs:label": "Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLC"
},
{
"@id": "d3f:T1610",
"@type": "owl:Class",
"d3f:attack-id": "T1610",
"d3f:definition": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)",
"rdfs:label": "Deploy Container",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:ExecutionTechnique"
}
]
},
{
"@id": "d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.safetydetectives.com/blog/how-does-antivirus-quarantine-work/"
},
"d3f:kb-abstract": "Your antivirus has just finished a regular scan and it’s asking whether you want to quarantine the virus it’s found. You click ‘yes’ without putting much thought into what’s actually happening. But what does quarantining actually mean, what does it do and is it safe for your computer? It’s important to understand the details so that you know what’s happening when you send infected files into quarantine.",
"d3f:kb-author": "Katarina Glamoslija",
"d3f:kb-reference-title": "How Does Antivirus Quarantine Work?",
"rdfs:label": "Reference - How Does Antivirus Quarantine Work? - Safety Detectives"
},
{
"@id": "d3f:Reference-RunDLL32.exeMonitoring_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2014-03-006/"
},
"d3f:kb-abstract": "Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be \"executed\" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.",
"d3f:kb-author": "MITRE",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2014-03-006: RunDLL32.exe monitoring",
"rdfs:label": "Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITRE"
},
{
"@id": "d3f:T1069.003",
"@type": "owl:Class",
"d3f:attack-id": "T1069.003",
"d3f:definition": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.",
"rdfs:label": "Cloud Groups",
"rdfs:subClassOf": {
"@id": "d3f:T1069"
}
},
{
"@id": "d3f:Reference-SystemAndMethodForStrategicAntiMalwareMonitoring",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patentimages.storage.googleapis.com/d9/02/31/3a28fefc73661d/US20230362189A1.pdf"
},
"d3f:kb-abstract": "The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.",
"d3f:kb-author": "Marcus J. Ranum, Ron Gula",
"d3f:kb-organization": "Tenable Inc",
"d3f:kb-reference-of": {
"@id": "d3f:NetworkTrafficSignatureAnalysis"
},
"d3f:kb-reference-title": "System and method for strategic anti-malware monitoring",
"rdfs:label": "Reference - System and method for strategic anti-malware monitoring - Tenable"
},
{
"@id": "d3f:DataLinkLink",
"@type": "owl:Class",
"d3f:definition": "A communication link between two network devices connected directly at the physical layer and on the same network segment; i.e., an OSI Layer 2 link.",
"d3f:synonym": [
"Data Link Layer Link",
"Layer-2 Link",
"Link Layer Link"
],
"rdfs:label": "Data Link Link",
"rdfs:seeAlso": {
"@id": "https://dbpedia.org/resource/Link_layer"
},
"rdfs:subClassOf": {
"@id": "d3f:LogicalLink"
}
},
{
"@id": "d3f:detects",
"@type": "owl:ObjectProperty",
"d3f:definition": "x detects y: The entity x discovers the presence, occurrence, or state of entity y through observation or measurement.",
"rdfs:label": "detects",
"rdfs:subPropertyOf": [
{
"@id": "d3f:counters"
},
{
"@id": "d3f:d3fend-tactical-verb-property"
}
]
},
{
"@id": "d3f:PageFrame",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contained-by": {
"@id": "d3f:PrimaryStorage"
},
"d3f:definition": "A page frame is the smallest fixed-length contiguous block of physical memory into which memory pages are mapped by the operating system.",
"rdfs:isDefinedBy": {
"@id": "https://dbpedia.org/page/Page_(computer_memory)"
},
"rdfs:label": "Page Frame",
"rdfs:subClassOf": [
{
"@id": "d3f:MemoryBlock"
},
{
"@id": "_:N9722ca2d282e43739973db3304abaac5"
}
]
},
{
"@id": "_:N9722ca2d282e43739973db3304abaac5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contained-by"
},
"owl:someValuesFrom": {
"@id": "d3f:PrimaryStorage"
}
},
{
"@id": "d3f:EncoderApplication",
"@type": "owl:Class",
"d3f:definition": "An application that encodes digital data.",
"rdfs:label": "Encoder Application",
"rdfs:subClassOf": {
"@id": "d3f:CodecApplication"
}
},
{
"@id": "d3f:OSAPIDeleteFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that removes a file from the file system.",
"d3f:invokes": {
"@id": "d3f:DeleteFile"
},
"rdfs:label": "OS API Delete File",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:Nc170d3ce97f7463fbcaa6e63be4b7739"
}
]
},
{
"@id": "_:Nc170d3ce97f7463fbcaa6e63be4b7739",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:DeleteFile"
}
},
{
"@id": "d3f:CWE-22",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-22",
"d3f:definition": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
"d3f:synonym": [
"Directory traversal",
"Path traversal"
],
"d3f:weakness-of": {
"@id": "d3f:UserInputFunction"
},
"rdfs:label": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-668"
},
{
"@id": "d3f:CWE-706"
},
{
"@id": "_:N5c6488a748fc4e90aa261bec1bcea232"
}
]
},
{
"@id": "_:N5c6488a748fc4e90aa261bec1bcea232",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:UserInputFunction"
}
},
{
"@id": "d3f:SSHConnectionCloseEvent",
"@type": "owl:Class",
"d3f:definition": "An event indicating the termination of an SSH connection, signaling the end of a secure session.",
"rdfs:label": "SSH Connection Close Event",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkConnectionCloseEvent"
},
{
"@id": "d3f:SSHEvent"
},
{
"@id": "_:N2af637c6878c45ecae5caca835cd07fc"
}
]
},
{
"@id": "_:N2af637c6878c45ecae5caca835cd07fc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:SSHConnectionOpenEvent"
}
},
{
"@id": "d3f:ServiceEvent",
"@type": "owl:Class",
"d3f:definition": "An event capturing the operation, configuration, or lifecycle of a service application. Services are specialized applications designed to provide reusable functionality to clients, systems, or other applications, often operating in the background or across networks.",
"rdfs:label": "Service Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ApplicationEvent"
},
{
"@id": "_:N83a63524e2fc4da0af35867cc77bec29"
}
]
},
{
"@id": "_:N83a63524e2fc4da0af35867cc77bec29",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:TA0042",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.",
"d3f:display-order": 0,
"rdfs:label": "Resource Development",
"rdfs:subClassOf": [
{
"@id": "d3f:ATTACKEnterpriseTactic"
},
{
"@id": "d3f:OffensiveTactic"
}
]
},
{
"@id": "d3f:OTDeviceDescriptionMessageEvent",
"@type": "owl:Class",
"d3f:definition": "Describe features, abilities, or performance of system components.",
"rdfs:label": "OT Device Description Message Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTDeviceManagementMessageEvent"
},
{
"@id": "_:Na6696cbbf0ed4fe0b8e99e6da508fd8b"
}
]
},
{
"@id": "_:Na6696cbbf0ed4fe0b8e99e6da508fd8b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTDeviceDescriptionMessage"
}
},
{
"@id": "d3f:unloads",
"@type": "owl:ObjectProperty",
"d3f:definition": "x unloads y: The technique or artifact performs the action of unloading some artifact (applications, kernel modules, or hardware drivers, etc.) from a computer's memory.",
"rdfs:label": "unloads",
"rdfs:subPropertyOf": {
"@id": "d3f:evicts"
}
},
{
"@id": "d3f:T1204.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1204.002",
"d3f:definition": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.",
"d3f:executes": {
"@id": "d3f:ExecutableFile"
},
"rdfs:label": "Malicious File",
"rdfs:subClassOf": [
{
"@id": "d3f:T1204"
},
{
"@id": "_:N052af1e6e6a147148c58aee57432b058"
}
]
},
{
"@id": "_:N052af1e6e6a147148c58aee57432b058",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:executes"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableFile"
}
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20180077186A1"
},
"d3f:kb-abstract": "Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.",
"d3f:kb-author": "Nicolas Beauchesne; Kevin Song-Kai Ni",
"d3f:kb-mitre-analysis": "Collect network traffic metadata directed at administrative services over a period of time to establish a baseline. This baseline is then used to determine suspicious activity that falls outside of the established baseline.",
"d3f:kb-organization": "Vectra Networks Inc",
"d3f:kb-reference-of": {
"@id": "d3f:AdministrativeNetworkActivityAnalysis"
},
"d3f:kb-reference-title": "Method and system for detecting suspicious administrative activity",
"rdfs:label": "Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Inc"
},
{
"@id": "d3f:quarantines",
"@type": "owl:ObjectProperty",
"d3f:definition": "x quarantines y: Technique x moves entity y to a place of isolation.",
"rdfs:label": "quarantines",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:Reference-RFC3411-AnArchitectureForDescribingSimpleNetworkManagementProtocolSNMPManagementFrameworks",
"@type": [
"owl:NamedIndividual",
"d3f:SpecificationReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://https://datatracker.ietf.org/doc/html/rfc3411"
},
"d3f:kb-author": "D. Harrington, R. Presuhn, B. Wijnen",
"d3f:kb-organization": "Internet Engineering Task Force (IETF)",
"d3f:kb-reference-of": {
"@id": "d3f:HardwareComponentInventory"
},
"d3f:kb-reference-title": "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks",
"rdfs:label": "Reference - An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"
},
{
"@id": "d3f:Self-organizingMap",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SOM",
"d3f:definition": "A Self-Organizing Map (SOM) is a unsupervised learning model in Artificial Neural Network where the feature maps are the generated two-dimensional discretized form of an input space during the model training (based on competitive learning)",
"d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). ANN - Self Organizing Neural Network (SONN). [Link](https://www.geeksforgeeks.org/ann-self-organizing-neural-network-sonn/)",
"rdfs:label": "Self-organizing Map",
"rdfs:subClassOf": {
"@id": "d3f:ANN-basedClustering"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_6",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Vulnerability Monitoring and Scanning | Automated Trend Analyses",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:PlatformHardening"
},
"rdfs:label": "RA-5(6)"
},
{
"@id": "d3f:ScheduledJobDisableEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a scheduled task is deactivated, preventing further execution until re-enabled.",
"rdfs:label": "Scheduled Job Disable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ScheduledJobEvent"
},
{
"@id": "_:Nd531c65f414340f6b53713dc793083b7"
}
]
},
{
"@id": "_:Nd531c65f414340f6b53713dc793083b7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ScheduledJobEnableEvent"
}
},
{
"@id": "d3f:EncryptedPassword",
"@type": "owl:Class",
"d3f:definition": "A password that is encrypted.",
"rdfs:label": "Encrypted Password",
"rdfs:subClassOf": [
{
"@id": "d3f:EncryptedCredential"
},
{
"@id": "d3f:Password"
}
]
},
{
"@id": "d3f:CWE-688",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-688",
"d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.",
"rdfs:label": "Function Call With Incorrect Variable or Reference as Argument",
"rdfs:subClassOf": {
"@id": "d3f:CWE-628"
}
},
{
"@id": "d3f:T1656",
"@type": "owl:Class",
"d3f:attack-id": "T1656",
"d3f:definition": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.",
"rdfs:label": "Impersonation",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:M1050",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:ApplicationHardening"
},
{
"@id": "d3f:ExceptionHandlerPointerValidation"
},
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:ShadowStackComparisons"
}
],
"rdfs:label": "Exploit Protection"
},
{
"@id": "d3f:Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2021-04-001/"
},
"d3f:kb-abstract": "Masquerading (T1036) is defined by ATT&CK as follows:\n\n“Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.”\n\nMalware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).\n\nThere are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2021-04-001: Common Windows Process Masquerading",
"rdfs:label": "Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITRE"
},
{
"@id": "d3f:Reference-IntegerRangeValidation_SEI",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf"
},
"d3f:kb-organization": "Software Engineering Institute",
"d3f:kb-reference-of": {
"@id": "d3f:IntegerRangeValidation"
},
"d3f:kb-reference-title": "SEI CERT C Coding Standard",
"rdfs:label": "Reference - Integer Range Validation"
},
{
"@id": "d3f:OperatingSystemConfigurationModificationEvent",
"@type": "owl:Class",
"d3f:definition": "An event that alters persistent operating-system configuration resources such as kernel options, registry keys, service definitions, or security policies; affecting system startup, hardware interfaces, or global security enforcement.",
"rdfs:label": "Operating System Configuration Modification Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ConfigurationModificationEvent"
},
{
"@id": "_:Ncbd2f97c53dd4dcb8ed1ea0bb0438dad"
}
]
},
{
"@id": "_:Ncbd2f97c53dd4dcb8ed1ea0bb0438dad",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemConfiguration"
}
},
{
"@id": "d3f:Pix2Pix",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PIX",
"d3f:definition": "Pix2Pix is based on condtional GAN architecture and are trained on paired set of images or scenes from two domains to be used for translation.",
"d3f:kb-article": "## References\nEsri. (n.d.). How Pix2Pix Works. [Link](https://developers.arcgis.com/python/guide/how-pix2pix-works/)",
"rdfs:label": "Pix2Pix",
"rdfs:subClassOf": {
"@id": "d3f:Image-to-ImageTranslationGAN"
}
},
{
"@id": "d3f:DHCPOfferEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a DHCP server sends an OFFER message to a client in response to a DISCOVER request, proposing an IP address and associated configuration parameters.",
"rdfs:label": "DHCP Offer Event",
"rdfs:subClassOf": [
{
"@id": "d3f:DHCPEvent"
},
{
"@id": "_:N8d43efbcb1854155bad86fe56f0e2d1b"
}
],
"skos:altLabel": "DHCPOFFER"
},
{
"@id": "_:N8d43efbcb1854155bad86fe56f0e2d1b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:DHCPDiscoverEvent"
}
},
{
"@id": "d3f:T1073",
"@type": "owl:Class",
"d3f:attack-id": "T1073",
"d3f:definition": "Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1574.002",
"rdfs:label": "DLL Side-Loading",
"rdfs:seeAlso": "T1574.002",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:T1011.001",
"@type": "owl:Class",
"d3f:attack-id": "T1011.001",
"d3f:definition": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.",
"rdfs:label": "Exfiltration Over Bluetooth",
"rdfs:subClassOf": {
"@id": "d3f:T1011"
}
},
{
"@id": "d3f:SoftwareDeploymentTool",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Software that coordinates the deployment process of software to systems, typically remotely.",
"rdfs:label": "Software Deployment Tool",
"rdfs:subClassOf": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20180373870A1/en?oq=US-2018373870-A1"
},
"d3f:kb-abstract": "A computerized method for logical identification of malicious threats across a plurality of end-point devices (EPD) communicatively connected by a network, comprising collecting over the network an identifier associated with each file of a plurality of files, wherein each file of the plurality of files is installed on at least one of the plurality of EPDs and wherein the identifier is the same for each like file of the plurality of file. Information associated with an identified subset of files is collected, wherein the information indicates at least a time at which the at least one file was installed on one or more of the plurality of EPDs and the way the at least one file spread within the network. The collected information is analyzed according to a set of predetermined computerized investigation rules. The analysis is used to determine whether at least a file of the identified subset files is a suspicious file.",
"d3f:kb-author": "Gil BARAK",
"d3f:kb-mitre-analysis": "This patent describes detecting suspicious files using file metadata such as the prevalence of the file deployed on the network, file installation times, and how the file was spread within the network. The combination of these factors are used to determine a risk score of the file and if below a threshold, sends an alert.",
"d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd",
"d3f:kb-reference-of": {
"@id": "d3f:FileContentRules"
},
"d3f:kb-reference-title": "System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network",
"rdfs:label": "Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltd"
},
{
"@id": "d3f:Reference-ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US9104864B2/en?oq=US-9104864-B2"
},
"d3f:kb-abstract": "Embodiments of the present disclosure provide for improved capabilities in the detection of malware, where malware threats are detected through the accumulated identification of threat characteristics for targeted computer objects. Methods and systems include dynamic threat detection providing a first database that correlates a plurality of threat characteristics to a threat, wherein a presence of the plurality of the threat characteristics confirms a presence of the threat; detecting a change event in a computer run-time process; testing the change event for a presence of one or more of the plurality of characteristics upon detection of the change event; storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer run-time process; and identifying the threat when each one of the plurality of characteristics appears in the second database.",
"d3f:kb-author": "Clifford Penton; Irene Michlin",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Sophos Ltd",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessCodeSegmentVerification"
},
"d3f:kb-reference-title": "Threat detection through the accumulated detection of threat characteristics",
"rdfs:label": "Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltd"
},
{
"@id": "d3f:CCI-000143_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:SystemDaemonMonitoring"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-20T00:00:00"
},
"rdfs:label": "CCI-000143"
},
{
"@id": "d3f:CWE-655",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-655",
"d3f:definition": "The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.",
"rdfs:label": "Insufficient Psychological Acceptability",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-657"
},
{
"@id": "d3f:CWE-693"
}
]
},
{
"@id": "d3f:RestoreConfiguration",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RestoreConfiguration"
],
"d3f:d3fend-id": "D3-RC",
"d3f:definition": "Restoring an software configuration.",
"d3f:kb-reference": {
"@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
},
"d3f:restores": {
"@id": "d3f:ConfigurationResource"
},
"rdfs:label": "Restore Configuration",
"rdfs:subClassOf": [
{
"@id": "d3f:RestoreObject"
},
{
"@id": "_:Nd34a783eab7d43f7801d5e50e91ccab1"
}
]
},
{
"@id": "_:Nd34a783eab7d43f7801d5e50e91ccab1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restores"
},
"owl:someValuesFrom": {
"@id": "d3f:ConfigurationResource"
}
},
{
"@id": "d3f:CCI-001350_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of audit information.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:FileEncryption"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001350"
},
{
"@id": "d3f:CCI-000200_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system prohibits password reuse for the organization-defined number of generations.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:StrongPasswordPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-22T00:00:00"
},
"rdfs:label": "CCI-000200"
},
{
"@id": "d3f:SystemConfigurationInitDatabaseRecord",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A database record holding information used to configure the services, parameters, and initial settings for an operating system at startup.",
"rdfs:label": "System Configuration Init Database Record",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
{
"@id": "d3f:SystemConfigurationInitResource"
},
{
"@id": "d3f:SystemInitConfiguration"
}
],
"skos:altLabel": "System Configuration Startup Database Record"
},
{
"@id": "d3f:Thread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A Thread is the smallest unit of execution within a process, representing a sequence of instructions that can be scheduled and executed independently by the operating system.",
"rdfs:label": "Thread",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-6",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Timely Maintenance",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:SoftwareUpdate"
},
"rdfs:label": "MA-6"
},
{
"@id": "d3f:published",
"@type": "owl:DatatypeProperty",
"d3f:definition": "Date of publication of the resource.",
"rdfs:label": {
"@language": "en",
"@value": "date published"
},
"rdfs:range": {
"@id": "xsd:dateTime"
},
"rdfs:subPropertyOf": {
"@id": "d3f:date"
}
},
{
"@id": "d3f:T1596.002",
"@type": "owl:Class",
"d3f:attack-id": "T1596.002",
"d3f:definition": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)",
"rdfs:label": "WHOIS",
"rdfs:subClassOf": {
"@id": "d3f:T1596"
}
},
{
"@id": "d3f:WindowsQueryPerformanceCounter",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Retrieves the current value of the performance counter, which is a high resolution (<1us) time stamp that can be used for time-interval measurements.",
"d3f:invokes": {
"@id": "d3f:WindowsNtQuerySystemTime"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/profileapi/nf-profileapi-queryperformancecounter"
},
"rdfs:label": "Windows QueryPerformanceCounter",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPIGetSystemTime"
},
{
"@id": "_:Nb1118e30f58748bfbab364dea537b6a3"
}
]
},
{
"@id": "_:Nb1118e30f58748bfbab364dea537b6a3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtQuerySystemTime"
}
},
{
"@id": "d3f:CWE-175",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-175",
"d3f:definition": "The product does not properly handle when the same input uses several different (mixed) encodings.",
"rdfs:label": "Improper Handling of Mixed Encoding",
"rdfs:subClassOf": {
"@id": "d3f:CWE-172"
}
},
{
"@id": "d3f:EventLogExportEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the export of event log data to a file or external system for backup or analysis purposes.",
"rdfs:label": "Event Log Export Event",
"rdfs:subClassOf": {
"@id": "d3f:EventLogEvent"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-2",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Event Logging",
"d3f:exactly": {
"@id": "d3f:LocalAccountMonitoring"
},
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AU-2"
},
{
"@id": "d3f:EmailFiltering",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:EmailFiltering"
],
"d3f:d3fend-id": "D3-EF",
"d3f:definition": "Filtering incoming email traffic based on specific criteria.",
"d3f:filters": {
"@id": "d3f:Email"
},
"d3f:kb-article": "## How it works\n\nMail filters can be implemented to scan inbound email messages at the initial SMTP connection stage to detect and reject email containing spam and malware.\n\nThis technique is distinct from d3f:EmailDeletion because it prevents an email from reaching an user's inbox. This technique can also be used for outbound email traffic.\n\n## Considerations\n* The effectiveness of mail filters depend on the completeness of the filter policies",
"d3f:kb-reference": {
"@id": "d3f:Reference-SystemAndMethodForProvidingAnonymousRemailingAndFilteringOfElectronicMail_Nokia"
},
"rdfs:label": "Email Filtering",
"rdfs:subClassOf": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "_:N62a4ddf8ad0d47629f653aac5b549732"
}
]
},
{
"@id": "_:N62a4ddf8ad0d47629f653aac5b549732",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:Email"
}
},
{
"@id": "d3f:BlockDevice",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": [
{
"@id": "d3f:BootSector"
},
{
"@id": "d3f:Partition"
},
{
"@id": "d3f:PartitionTable"
}
],
"d3f:definition": "A block device (or block special file) provides buffered access to hardware devices, and provides some abstraction from their specifics.\n\nIEEE Std 1003.1-2017: A file that refers to a device. A block special file is normally distinguished from a character special file by providing access to the device in a manner such that the hardware characteristics of the device are not visible.",
"d3f:may-contain": {
"@id": "d3f:Volume"
},
"rdfs:isDefinedBy": {
"@id": "http://dbpedia.org/resource/Device_file#BLOCKDEV"
},
"rdfs:label": "Block Device",
"rdfs:seeAlso": {
"@id": "https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_79"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N462876aa563349e0b695a84786094b9d"
},
{
"@id": "_:Nccea863f465b4c2cbc153510d0c28dc2"
},
{
"@id": "_:Nda0d1a01483b4e3993a432e757d72c73"
},
{
"@id": "_:N51f5f597a3874a629a899ea3955c37fb"
}
],
"skos:altLabel": "Block Special File"
},
{
"@id": "_:N462876aa563349e0b695a84786094b9d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:BootSector"
}
},
{
"@id": "_:Nccea863f465b4c2cbc153510d0c28dc2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:Partition"
}
},
{
"@id": "_:Nda0d1a01483b4e3993a432e757d72c73",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:PartitionTable"
}
},
{
"@id": "_:N51f5f597a3874a629a899ea3955c37fb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:Volume"
}
},
{
"@id": "d3f:CWE-351",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-351",
"d3f:definition": "The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.",
"rdfs:label": "Insufficient Type Distinction",
"rdfs:subClassOf": {
"@id": "d3f:CWE-345"
}
},
{
"@id": "d3f:UserAccountMFAEnableEvent",
"@type": "owl:Class",
"d3f:definition": "An event where multi-factor authentication (MFA) is enabled for a user account.",
"rdfs:label": "User Account MFA Enable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:UserAccountEvent"
},
{
"@id": "_:Ndfd68a1f7b7a486aafc93b5658db5c48"
}
]
},
{
"@id": "_:Ndfd68a1f7b7a486aafc93b5658db5c48",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccountCreationEvent"
}
},
{
"@id": "d3f:d3fend-comment",
"@type": "owl:DatatypeProperty",
"d3f:definition": "x d3fend-comment y: The entity x has an D3FEND team written a public note about entity y.",
"rdfs:label": "d3fend-comment",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-kb-data-property"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_3",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": {
"@id": "d3f:AccountLocking"
},
"d3f:control-name": "Account Management | Disable Accounts",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-2(3)"
},
{
"@id": "d3f:FTPDeleteEvent",
"@type": "owl:Class",
"d3f:definition": "An event where files or directories are removed from an FTP server, resulting in their permanent deletion from the remote system.",
"rdfs:label": "FTP Delete Event",
"rdfs:subClassOf": [
{
"@id": "d3f:FTPEvent"
},
{
"@id": "_:N070247daef8c49078abc8c924431f7aa"
}
]
},
{
"@id": "_:N070247daef8c49078abc8c924431f7aa",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:FTPPutEvent"
}
},
{
"@id": "d3f:T1573",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1573",
"d3f:definition": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
"d3f:produces": {
"@id": "d3f:OutboundInternetEncryptedTraffic"
},
"rdfs:label": "Encrypted Channel",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:N183458a1cb7b4b4bbb41e03d57dff33c"
}
],
"skos:altLabel": [
"Custom Command and Control Protocol",
"Custom Cryptographic Protocol",
"Multilayer Encryption"
]
},
{
"@id": "_:N183458a1cb7b4b4bbb41e03d57dff33c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetEncryptedTraffic"
}
},
{
"@id": "d3f:CWE-152",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-152",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.",
"rdfs:label": "Improper Neutralization of Macro Symbols",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:SMBFileSupersedeEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a file is overwritten if it exists or created if it does not. This operation combines file creation and modification semantics.",
"rdfs:label": "SMB File Supersede Event",
"rdfs:subClassOf": {
"@id": "d3f:SMBEvent"
}
},
{
"@id": "d3f:NonlinearRegressionLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-NRL",
"d3f:definition": "A supervised learning method that builds a non-linear regression model using training data.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)",
"rdfs:label": "Nonlinear Regression Learning",
"rdfs:seeAlso": {
"@id": "d3f:NonlinearRegression"
},
"rdfs:subClassOf": {
"@id": "d3f:RegressionAnalysisLearning"
}
},
{
"@id": "d3f:Grid-basedClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-GBC",
"d3f:definition": "Divides the entire data space into a finite number of cells reducing the complexity of the data and focuses on the cells rather than the data.",
"d3f:kb-article": "## References\nTechVidvan. (n.d.). Clustering in Machine Learning Tutorial. [Link](https://techvidvan.com/tutorials/clustering-in-machine-learning/)",
"rdfs:label": "Grid-based Clustering",
"rdfs:subClassOf": {
"@id": "d3f:High-dimensionClustering"
}
},
{
"@id": "d3f:DHCPDiscoverEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a DHCP client broadcasts a DISCOVER message to identify available DHCP servers capable of providing IP configuration.",
"rdfs:label": "DHCP Discover Event",
"rdfs:subClassOf": {
"@id": "d3f:DHCPEvent"
},
"skos:altLabel": "DHCPDISCOVER"
},
{
"@id": "d3f:WindowsRegistryKeyUpdateEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an existing registry key is updated or reconfigured, reflecting changes to its metadata or properties.",
"rdfs:label": "Windows Registry Key Update Event",
"rdfs:subClassOf": [
{
"@id": "d3f:WindowsRegistryKeyEvent"
},
{
"@id": "_:Ne1d5dcf00b93483888551d6c4a7dc275"
}
]
},
{
"@id": "_:Ne1d5dcf00b93483888551d6c4a7dc275",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryKeyCreationEvent"
}
},
{
"@id": "d3f:Reference-IndirectBranchingCalls",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1048.1241&rep=rep1&type=pdf"
},
"d3f:kb-abstract": "Return-oriented programming (ROP) has become the\nprimary exploitation technique for system compromise\nin the presence of non-executable page protections. ROP\nexploits are facilitated mainly by the lack of complete\naddress space randomization coverage or the presence\nof memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations.\nIn this paper we present a practical runtime ROP exploit prevention technique for the protection of thirdparty applications. Our approach is based on the detection of abnormal control transfers that take place during\nROP code execution. This is achieved using hardware\nfeatures of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to\nthe protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for\ninstalled programs in the same fashion as user-friendly\nmitigation toolkits like Microsoft's EMET. The results of\nour evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially\ncrafted workloads that continuously trigger its core detection component, while it has negligible overhead for\nactual user applications. In our experiments with in-thewild ROP exploits, kBouncer successfully protected all\ntested applications, including Internet Explorer, Adobe\nFlash Player, and Adobe Reader.",
"d3f:kb-author": "Vasilis Pappas, Michalis Polychronakis, Angelos D. Keromytis\nColumbia University",
"d3f:kb-organization": "Columbia University",
"d3f:kb-reference-of": {
"@id": "d3f:IndirectBranchCallAnalysis"
},
"d3f:kb-reference-title": "Transparent ROP Exploit Mitigation using Indirect Branch Tracing",
"rdfs:label": "Reference - Indirect Branching Calls"
},
{
"@id": "d3f:TransferLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-TL",
"d3f:definition": "Transfer learning (TL) is a research problem in machine learning (ML) that focuses on storing knowledge gained while solving one problem and applying it to a different but related problem.",
"d3f:kb-article": "## References\nTransfer learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Transfer_learning).",
"rdfs:label": "Transfer Learning",
"rdfs:seeAlso": [
{
"@id": "https://arxiv.org/abs/1808.01974"
},
{
"@id": "https://arxiv.org/abs/1911.02685"
},
{
"@id": "https://journalofbigdata.springeropen.com/articles/10.1186/s40537-016-0043-6"
}
],
"rdfs:subClassOf": {
"@id": "d3f:MachineLearning"
}
},
{
"@id": "d3f:PropertyListFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In the OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files. Property list files are often used to store a user's settings. They are also used to store information about bundles and applications, a task served by the resource fork in the old Mac OS.",
"rdfs:isDefinedBy": {
"@id": "dbr:Property_list"
},
"rdfs:label": "Property List File",
"rdfs:subClassOf": {
"@id": "d3f:ConfigurationFile"
},
"skos:altLabel": "Plist File"
},
{
"@id": "d3f:OTModifyDeviceOperatingModeCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Modifies the running state of an application or program on a device.",
"d3f:modifies": {
"@id": "d3f:OperatingMode"
},
"rdfs:comment": [
"BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
"GE-SRTP: SET PLC (RUN VS STOP)"
],
"rdfs:label": "OT Modify Device Operating Mode Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceConfigurationCommand"
},
{
"@id": "_:Na11815827b404a6e95a97cb2801a99e8"
}
]
},
{
"@id": "_:Na11815827b404a6e95a97cb2801a99e8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingMode"
}
},
{
"@id": "d3f:CWE-20",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-20",
"d3f:definition": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.",
"d3f:weakness-of": {
"@id": "d3f:UserInputFunction"
},
"rdfs:label": "Improper Input Validation",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-707"
},
{
"@id": "_:N4aa726afd39b47fb947393403ffba80e"
}
]
},
{
"@id": "_:N4aa726afd39b47fb947393403ffba80e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:UserInputFunction"
}
},
{
"@id": "d3f:Reference-SNMPNetworkAutoDiscovery",
"@type": [
"owl:NamedIndividual",
"d3f:UserManualReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://docs.device42.com/auto-discovery/network-auto-discovery/"
},
"d3f:kb-abstract": "SNMP, or Simple Network Management Protocol, is a protocol and a standard that is supported by just about any managed network-connected hardware. There are three widely deployed versions: SNMP v1, v2c (most commonly used), and v3. SNMP is typically utilized read-only, but supports read/write, and by default utilized port 161. SNMP exposes management data in the form of ‘variables’, which are organized in what is known as a MIB, or “Management Information Base”. A MIB essentially describes the variables available on a given system, each of which can be remotely queried via SNMP.",
"d3f:kb-organization": "Device 42",
"d3f:kb-reference-of": {
"@id": "d3f:ActiveLogicalLinkMapping"
},
"d3f:kb-reference-title": "SNMP - Network Auto Discovery",
"rdfs:label": "Reference - SNMP - Network Auto-Discovery"
},
{
"@id": "d3f:windows-registry-key",
"@type": "owl:DatatypeProperty",
"d3f:definition": "x value y: The key-value pair x has the key y.",
"rdfs:label": "windows-registry-key",
"rdfs:subPropertyOf": {
"@id": "d3f:windows-registry-data-property"
},
"skos:altLabel": "key"
},
{
"@id": "d3f:GroupCreationEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a new group is established within the system, defining an entity to manage users and permissions collectively.",
"rdfs:label": "Group Creation Event",
"rdfs:subClassOf": {
"@id": "d3f:GroupManagementEvent"
}
},
{
"@id": "d3f:FileMagicByteVerification",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FileMagicByteVerification"
],
"d3f:analyzes": {
"@id": "d3f:FileMagicBytes"
},
"d3f:d3fend-id": "D3-FMBV",
"d3f:definition": "Utilizing the magic number to verify the file",
"d3f:kb-article": "## How it works\n\nMany file formats use magic numbers to identify a file format or protocol. Verifying that the magic number matches the expected value of its declared format is a simple way of verifying the file format.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation"
},
{
"@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics"
}
],
"rdfs:label": "File Magic Byte Verification",
"rdfs:subClassOf": [
{
"@id": "d3f:FileMetadataValueVerification"
},
{
"@id": "_:N98715e2906fa4d109d4eb90451e6b547"
}
]
},
{
"@id": "_:N98715e2906fa4d109d4eb90451e6b547",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:FileMagicBytes"
}
},
{
"@id": "d3f:T1012",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:SystemConfigurationDatabase"
},
"d3f:attack-id": "T1012",
"d3f:definition": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",
"d3f:may-invoke": {
"@id": "d3f:GetSystemConfigValue"
},
"rdfs:label": "Query Registry",
"rdfs:subClassOf": [
{
"@id": "d3f:DiscoveryTechnique"
},
{
"@id": "_:N2605f16b224e4de1a19b112e1a7c4fe5"
},
{
"@id": "_:Ncdc65422b4474fa599917041ab50f179"
}
]
},
{
"@id": "_:N2605f16b224e4de1a19b112e1a7c4fe5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabase"
}
},
{
"@id": "_:Ncdc65422b4474fa599917041ab50f179",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:GetSystemConfigValue"
}
},
{
"@id": "d3f:T1587.002",
"@type": "owl:Class",
"d3f:attack-id": "T1587.002",
"d3f:definition": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.",
"rdfs:label": "Code Signing Certificates",
"rdfs:subClassOf": {
"@id": "d3f:T1587"
}
},
{
"@id": "d3f:AuthenticationServer",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:AuthenticationServiceApplication"
},
"d3f:definition": "An authentication server provides a network service that applications use to authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptographic ticket that it can subsequently use to access various services. Major authentication algorithms include passwords, Kerberos, and public key encryption.",
"d3f:manages": {
"@id": "d3f:AuthenticationService"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Authentication_server"
},
"rdfs:label": "Authentication Server",
"rdfs:subClassOf": [
{
"@id": "d3f:Server"
},
{
"@id": "_:Nd9449867c81341099e30802db5ea39c0"
},
{
"@id": "_:N55f96c94a834476a932b70d98d49635e"
}
]
},
{
"@id": "_:Nd9449867c81341099e30802db5ea39c0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:AuthenticationServiceApplication"
}
},
{
"@id": "_:N55f96c94a834476a932b70d98d49635e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:manages"
},
"owl:someValuesFrom": {
"@id": "d3f:AuthenticationService"
}
},
{
"@id": "d3f:T1585.002",
"@type": "owl:Class",
"d3f:attack-id": "T1585.002",
"d3f:definition": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)",
"rdfs:label": "Email Accounts",
"rdfs:subClassOf": {
"@id": "d3f:T1585"
}
},
{
"@id": "d3f:ContainerImageAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ContainerImageAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:ContainerImage"
},
"d3f:d3fend-id": "D3-CIA",
"d3f:definition": "Analyzing a Container Image with respect to a set of policies.",
"d3f:kb-article": "## How it works\n\nContainer images are standalone collections of the executable code and\ncontent that are used to populate a container environment.\nThey are usually created by either building a container from scratch or by\nbuilding on top of an existing image pulled from a repository.\n\nThroughout the container build workflow,\nimages should be scanned to identify:\n\n- outdated libraries,\n- known vulnerabilities,\n- or misconfigurations, such as insecure ports or permissions.\n\nScanning should also provide the flexibility to disregard false positives\nfor vulnerability detection where knowledgeable\ncybersecurity professionals have deemed alerts to be inaccurate.\n\nOne approach to implementing image scanning is to use an admission controller\nto block deployments if the image does not comply with the organization's\nsecurity policies.\n\nAn admission controller is a Container Orchestration feature that can intercept and\nprocess requests to the Container Orchestration API prior to persistence of the object,\nbut after the request is authenticated and authorized.\nA webhook can be implemented to scan any image before it is deployed in the orchestrator.\nThis admission controller\n\n## Considerations\n\n* Image scanning is key to ensuring deployed containers are secure.\n* Using trusted repositories to build containers is a critical part of the container build workflow.\n* This technique does not necessarly prevent the build process to add insecure or unsecured\n files to the Image.\n",
"d3f:kb-reference": {
"@id": "d3f:Reference-ContainerImageAnalysis"
},
"d3f:synonym": "Container Image Scanning",
"rdfs:label": "Container Image Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:AssetVulnerabilityEnumeration"
},
{
"@id": "_:Nae13d33dc59f4da3a74357705718f3e1"
}
]
},
{
"@id": "_:Nae13d33dc59f4da3a74357705718f3e1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:ContainerImage"
}
},
{
"@id": "d3f:CWE-408",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-408",
"d3f:definition": "The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.",
"rdfs:label": "Incorrect Behavior Order: Early Amplification",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-405"
},
{
"@id": "d3f:CWE-696"
}
]
},
{
"@id": "d3f:OTDeleteControlProgramCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Commands a remote device to remove an existing control program.",
"d3f:modifies": {
"@id": "d3f:OTControlProgram"
},
"rdfs:label": "OT Delete Control Program Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyControlProgramCommand"
},
{
"@id": "_:N9d48860790dc4b51946145607646c732"
}
]
},
{
"@id": "_:N9d48860790dc4b51946145607646c732",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OTControlProgram"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_IR-4_13",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Incident Handling | Behavior Analysis",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:related": [
{
"@id": "d3f:DecoyEnvironment"
},
{
"@id": "d3f:DecoyObject"
}
],
"rdfs:label": "IR-4(13)"
},
{
"@id": "d3f:CWE-430",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-430",
"d3f:definition": "The wrong \"handler\" is assigned to process an object.",
"rdfs:label": "Deployment of Wrong Handler",
"rdfs:subClassOf": {
"@id": "d3f:CWE-691"
}
},
{
"@id": "d3f:WindowsRegistryValueEvent",
"@type": "owl:Class",
"d3f:definition": "Events representing actions performed on Windows Registry values, which store configuration data within registry keys.",
"rdfs:label": "Windows Registry Value Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/win/registry_value_activity"
},
"rdfs:subClassOf": [
{
"@id": "d3f:WindowsRegistryEvent"
},
{
"@id": "_:N520c7b2f05a847c4bb7c62b52ae01c08"
}
]
},
{
"@id": "_:N520c7b2f05a847c4bb7c62b52ae01c08",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryValue"
}
},
{
"@id": "d3f:LDIFRecord",
"@type": [
"owl:NamedIndividual",
"d3f:UserAccount"
],
"rdfs:label": "LDIF Record"
},
{
"@id": "d3f:Classifying",
"@type": "owl:Class",
"rdfs:label": "Classifying",
"rdfs:subClassOf": {
"@id": "d3f:AnalyticalPurpose"
}
},
{
"@id": "d3f:OperationalRiskAssessment",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:OperationalRiskAssessment"
],
"d3f:d3fend-id": "D3-ORA",
"d3f:definition": "Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.",
"d3f:evaluates": {
"@id": "d3f:Organization"
},
"d3f:identifies": {
"@id": "d3f:Vulnerability"
},
"d3f:kb-reference": [
{
"@id": "d3f:Reference-MGT516ManagingSecurityVulnerabilitiesEnterpriseAndCloud"
},
{
"@id": "d3f:Reference-NIST-RMF-Quick-Start-Guide-Assess-Step-FAQ"
},
{
"@id": "d3f:Reference-NIST-Special-Publication-800-160-Volume-1"
},
{
"@id": "d3f:Reference-NIST-Special-Publication-800-37-Revision-2"
},
{
"@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5"
},
{
"@id": "d3f:Reference-NISTIR-8011-Volume-1"
}
],
"d3f:synonym": "Mission Risk Assessment",
"rdfs:label": "Operational Risk Assessment",
"rdfs:subClassOf": [
{
"@id": "d3f:OperationalActivityMapping"
},
{
"@id": "_:N7f60e1e1313f4de2b27836555a6b8d2f"
},
{
"@id": "_:N4267a5ae5a804b9cb11ff44973ee5ced"
}
]
},
{
"@id": "_:N7f60e1e1313f4de2b27836555a6b8d2f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:evaluates"
},
"owl:someValuesFrom": {
"@id": "d3f:Organization"
}
},
{
"@id": "_:N4267a5ae5a804b9cb11ff44973ee5ced",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:identifies"
},
"owl:someValuesFrom": {
"@id": "d3f:Vulnerability"
}
},
{
"@id": "d3f:WindowsTerminateProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Terminates the specified process and all of its threads.",
"d3f:invokes": {
"@id": "d3f:WindowsNtTerminateProcess"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess"
},
"rdfs:label": "Windows TerminateProcess",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPITerminateProcess"
},
{
"@id": "_:N2da619b7c002431f90c8072f80bcb4ad"
}
]
},
{
"@id": "_:N2da619b7c002431f90c8072f80bcb4ad",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtTerminateProcess"
}
},
{
"@id": "d3f:T1155",
"@type": "owl:Class",
"d3f:attack-id": "T1155",
"d3f:definition": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1059.002",
"rdfs:label": "AppleScript",
"rdfs:seeAlso": "T1059.002",
"rdfs:subClassOf": {
"@id": "d3f:ExecutionTechnique"
}
},
{
"@id": "d3f:ContentFiltering",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ContentFiltering"
],
"d3f:d3fend-id": "D3-CF",
"d3f:definition": "Content Filtering techniques aid in the process of analyzing an input file for malicious or erroneous content and outputing a sanitized version.",
"d3f:enables": {
"@id": "d3f:Isolate"
},
"d3f:enforces": {
"@id": "d3f:ContentPolicy"
},
"d3f:filters": {
"@id": "d3f:File"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
},
"rdfs:label": "Content Filtering",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:Nad1470a8519c43679ad6373c1c081692"
},
{
"@id": "_:N908f6d49ad7b4de7a62cbbe34e11c0a5"
},
{
"@id": "_:N6e83828a3ef94c3e91bc47a6da12fc8e"
}
]
},
{
"@id": "_:Nad1470a8519c43679ad6373c1c081692",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Isolate"
}
},
{
"@id": "_:N908f6d49ad7b4de7a62cbbe34e11c0a5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enforces"
},
"owl:someValuesFrom": {
"@id": "d3f:ContentPolicy"
}
},
{
"@id": "_:N6e83828a3ef94c3e91bc47a6da12fc8e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:RegistryKeyDeletion",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RegistryKeyDeletion"
],
"d3f:d3fend-id": "D3-RKD",
"d3f:definition": "Delete a registry key.",
"d3f:deletes": {
"@id": "d3f:WindowsRegistryKey"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
},
"rdfs:label": "Registry Key Deletion",
"rdfs:subClassOf": [
{
"@id": "d3f:ObjectEviction"
},
{
"@id": "_:N4095164c2894440bbfd3b53fd8daeaa2"
}
]
},
{
"@id": "_:N4095164c2894440bbfd3b53fd8daeaa2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:deletes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryKey"
}
},
{
"@id": "d3f:Goal",
"@type": "owl:Class",
"rdfs:label": "Goal",
"rdfs:subClassOf": {
"@id": "d3f:D3FENDCore"
}
},
{
"@id": "d3f:CCI-002289_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002289"
},
{
"@id": "d3f:CWE-62",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-62",
"d3f:definition": "The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
"rdfs:label": "UNIX Hard Link",
"rdfs:subClassOf": {
"@id": "d3f:CWE-59"
}
},
{
"@id": "d3f:evaluates",
"@type": "owl:ObjectProperty",
"d3f:definition": "x evaluates y: The entity x systematically assesses entity y to judge its state, quality, or risk.",
"rdfs:label": "evaluates",
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:may-evaluate"
}
]
},
{
"@id": "d3f:T1621",
"@type": "owl:Class",
"d3f:attack-id": "T1621",
"d3f:definition": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.",
"rdfs:label": "Multi-Factor Authentication Request Generation",
"rdfs:subClassOf": {
"@id": "d3f:CredentialAccessTechnique"
}
},
{
"@id": "d3f:CWE-233",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-233",
"d3f:definition": "The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.",
"rdfs:label": "Improper Handling of Parameters",
"rdfs:subClassOf": {
"@id": "d3f:CWE-228"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-24_1",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Access Control Decisions | Transmit Access Authorization Information",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:UserAccountPermissions"
},
"rdfs:label": "AC-24(1)"
},
{
"@id": "d3f:T1574.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1574.004",
"d3f:definition": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.",
"d3f:may-create": {
"@id": "d3f:SharedLibraryFile"
},
"d3f:may-modify": {
"@id": "d3f:SharedLibraryFile"
},
"rdfs:label": "Dylib Hijacking",
"rdfs:subClassOf": [
{
"@id": "d3f:T1574"
},
{
"@id": "_:Ned4d285f8cab4703b2bd95cb68c4d3a3"
},
{
"@id": "_:Nb64b001f80cf487a81c94245ef34156e"
}
]
},
{
"@id": "_:Ned4d285f8cab4703b2bd95cb68c4d3a3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "_:Nb64b001f80cf487a81c94245ef34156e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "d3f:Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2021-05-007/"
},
"d3f:kb-abstract": "Certutil.exe may download a file from a remote destination using -VerifyCtl. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using -VerifyCtl, the file will either be written to the current working directory or %APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
"rdfs:label": "Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITRE"
},
{
"@id": "d3f:Estimation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-EST",
"d3f:definition": "Estimation represents ways or a process of learning and determining the population parameter based on the model fitted to the data.",
"d3f:kb-article": "## References\nPennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)",
"rdfs:label": "Estimation",
"rdfs:subClassOf": {
"@id": "d3f:InferentialStatistics"
}
},
{
"@id": "d3f:Image-to-ImageTranslationGAN",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-ITITG",
"d3f:definition": "Image-to-image translation is the task of transferring styles and characteristics from one image domain to another.",
"d3f:kb-article": "## References\nMathWorks. (n.d.). Get Started with GANs for Image-to-Image Translation. [Link](https://www.mathworks.com/help/images/get-started-with-gans-for-image-to-image-translation.html)",
"rdfs:label": "Image-to-Image Translation GAN",
"rdfs:subClassOf": {
"@id": "d3f:GenerativeAdversarialNetwork"
}
},
{
"@id": "d3f:restricts",
"@type": "owl:ObjectProperty",
"d3f:definition": "x restricts y: An entity x bounds the use of entity y.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00234091-v"
},
"rdfs:label": "restricts",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:ApproximateStringMatching",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-ASM",
"d3f:definition": "Approximate string matching is a form of string matching that allows errrors.",
"d3f:kb-article": "## References\n1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)",
"rdfs:label": "Approximate String Matching",
"rdfs:subClassOf": {
"@id": "d3f:PartialMatching"
}
},
{
"@id": "d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR",
"@type": "owl:Class",
"d3f:definition": "Opens a file specified by pathname.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/open.2.html"
},
"rdfs:label": "Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIOpenFile"
}
},
{
"@id": "d3f:label",
"@type": "owl:AnnotationProperty",
"rdfs:label": {
"@language": "en",
"@value": "label"
},
"rdfs:subPropertyOf": {
"@id": "rdfs:label"
}
},
{
"@id": "d3f:OTDeviceExceptionEvent",
"@type": "owl:Class",
"d3f:definition": "An unknown or anomalous condition occurred in the system.",
"rdfs:label": "OT Exception Message Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTDiagnosticsMessageEvent"
},
{
"@id": "_:N48645b43496c4ce496ba2d5b5048e191"
}
]
},
{
"@id": "_:N48645b43496c4ce496ba2d5b5048e191",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTDeviceException"
}
},
{
"@id": "d3f:CWE-1422",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1422",
"d3f:definition": "A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.",
"rdfs:label": "Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1420"
}
},
{
"@id": "d3f:CCI-002824_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:DeadCodeElimination"
},
{
"@id": "d3f:ProcessSegmentExecutionPrevention"
},
{
"@id": "d3f:SegmentAddressOffsetRandomization"
},
{
"@id": "d3f:StackFrameCanaryValidation"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-12T00:00:00"
},
"rdfs:label": "CCI-002824"
},
{
"@id": "d3f:WindowsRegistryValueDeletionEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a registry value is deleted from the Windows Registry, permanently removing its associated data.",
"rdfs:label": "Windows Registry Value Deletion Event",
"rdfs:subClassOf": [
{
"@id": "d3f:WindowsRegistryValueEvent"
},
{
"@id": "_:Nda1081467f8645b3bfdb14ce97b204f2"
}
]
},
{
"@id": "_:Nda1081467f8645b3bfdb14ce97b204f2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryValueSetEvent"
}
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US9407647B2/en?oq=US-9407647-B2"
},
"d3f:kb-abstract": "A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.",
"d3f:kb-author": "Nicolas BEAUCHESNE; Ryan James PRENGER",
"d3f:kb-mitre-analysis": "This patent describes detecting an external attacker taking remote control of an internal host. Detection includes identifying sessions where the external host controls the internal host in the opposite direction the session was initiated. The number of rapid-exchange communication instances (i.e, communications that occur between the two hosts with little silence gap), the time intervals between them, and/or the rhythm and direction of the instances, are analyzed to determine if an external human actor is manually controlling the internal host.",
"d3f:kb-organization": "VECTRA NETWORKS Inc",
"d3f:kb-reference-of": {
"@id": "d3f:RemoteTerminalSessionDetection"
},
"d3f:kb-reference-title": "Method and system for detecting external control of compromised hosts",
"rdfs:label": "Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Inc"
},
{
"@id": "d3f:Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3",
"@type": [
"owl:NamedIndividual",
"d3f:SpecificationReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf"
},
"d3f:kb-abstract": "LUKS is short for \"Linux Unified Key Setup\". It has initially been developed to remedy the unpleasantness a user experienced that arise from deriving the encryption setup from changing user space, and forgotten command line arguments. The result of this changes are an unaccessible encryption storage. The reason for this to happen was, a unstandardised way to read, process and set up encryption keys, and if the user was unlucky, he upgraded to an incompatible version of user space tools that needed a good deal of knowledge to use with old encryption volumes.",
"d3f:kb-author": "Clemens Fruhwirth",
"d3f:kb-reference-of": {
"@id": "d3f:DiskEncryption"
},
"d3f:kb-reference-title": "LUKS1 On-Disk Format SpecificationVersion 1.2.3",
"rdfs:label": "Reference - LUKS1 On-Disk Format SpecificationVersion 1.2.3"
},
{
"@id": "d3f:HardwareDeviceUpdateEvent",
"@type": "owl:Class",
"d3f:definition": "An event capturing updates or changes to a device's configuration, properties, or state, including firmware updates, reconfigurations, or optimizations.",
"rdfs:label": "Hardware Device Update Event",
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDeviceStateEvent"
},
{
"@id": "_:N08e8f32e665349f7976a02fe50ce6477"
}
]
},
{
"@id": "_:N08e8f32e665349f7976a02fe50ce6477",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDeviceConnectionEvent"
}
},
{
"@id": "d3f:CWE-260",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-260",
"d3f:definition": "The product stores a password in a configuration file that might be accessible to actors who do not know the password.",
"rdfs:label": "Password in Configuration File",
"rdfs:subClassOf": {
"@id": "d3f:CWE-522"
}
},
{
"@id": "d3f:process-data-property",
"@type": "owl:DatatypeProperty",
"d3f:definition": "x process-data-property y: The process x has the data property y.",
"rdfs:label": "process-data-property",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-artifact-data-property"
}
},
{
"@id": "d3f:SystemCallAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:SystemCallAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:SystemCall"
},
"d3f:d3fend-id": "D3-SCA",
"d3f:definition": "Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.",
"d3f:kb-article": "## How it works\n\nSystem calls are APIs between a user application and the operating system [1].\n\nBy analyzing a process's use of these APIs, it is, in some cases, possible to ascertain whether a program is exhibiting unauthorized behavior, including trying to escalate its privileges.\n\n### Gathering System Calls\nA common method to capture system calls is to use kernel APIs to hook [2] a process's system call invocations.\n\nThe Linux system call `ptrace` tracks other system calls in a process and allows their alteration; this is made use of by GDB. `strace` utilizes `ptrace` and will print to stdout each system call invoked. Other applications record this data in local or remote databases.\n\nThe log entry for each system call, which may reference additional information such as the date and time, and the process tree for the process which made the system call, is relayed, in real time or post-facto, to an analysis module which consults a catalog or model to determine whether the distribution matches a known-good or known-bad pattern.\n\n\n### Analysis\n\nSystem calls are analyzed with a variety of methods. Some analytics look for specific sequences of instructions, others may apply statistical methods to identify abnormal behavior. Sequences of instructions can be abstracted into conceptually higher order user activities, for example:\n\n* An attacker executes many system calls in a short period of time, with several sequences which could be used to escalate privileges.\n* Getting the contents from a URL, writing to a new file, and then executing the same file.\n* A ransomware program which either uses a loop or creates many threads to: read a specified file, encrypt its contents, create an output file with a similar name to the original file, and delete the unencrypted original.\n\n## Considerations\n\n* Duplicative or extraneous system calls may be added to malware to defeat analytics.\n* Malware could replace API hooking instructions to allow system calls to be made without being monitored.\n* A model built from a training set of system calls and related data may not be updated fast enough to detect new threats.\n\n\n[1] [Syscalls](http://man7.org/linux/man-pages/man2/syscalls.2.html)\n\n[2] [Hooking](http://dbpedia.org/resource/Hooking)",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CredentialDumpingViaWindowsTaskManager_MITRE"
},
{
"@id": "d3f:Reference-DLLInjectionViaLoadLibrary_MITRE"
},
{
"@id": "d3f:Reference-DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc"
},
{
"@id": "d3f:Reference-Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc"
},
{
"@id": "d3f:Reference-MalwareDetectionInEventLoops_CrowdstrikeInc"
},
{
"@id": "d3f:Reference-PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc"
},
{
"@id": "d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE"
},
{
"@id": "d3f:Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS_MITRE"
}
],
"rdfs:label": "System Call Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessAnalysis"
},
{
"@id": "_:N55c9206cc7534e839f0e18ee4b7ca591"
}
]
},
{
"@id": "_:N55c9206cc7534e839f0e18ee4b7ca591",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemCall"
}
},
{
"@id": "d3f:CWE-1298",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1298",
"d3f:definition": "A race condition in the hardware logic results in undermining security guarantees of the system.",
"rdfs:label": "Hardware Logic Contains Race Conditions",
"rdfs:subClassOf": {
"@id": "d3f:CWE-362"
}
},
{
"@id": "d3f:T1596.005",
"@type": "owl:Class",
"d3f:attack-id": "T1596.005",
"d3f:definition": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)",
"rdfs:label": "Scan Databases",
"rdfs:subClassOf": {
"@id": "d3f:T1596"
}
},
{
"@id": "d3f:CWE-695",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-695",
"d3f:definition": "The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.",
"rdfs:label": "Use of Low-Level Functionality",
"rdfs:subClassOf": {
"@id": "d3f:CWE-573"
}
},
{
"@id": "d3f:T1547.015",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1547.015",
"d3f:definition": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.",
"d3f:modifies": {
"@id": "d3f:UserLogonInitResource"
},
"rdfs:label": "Login Items",
"rdfs:subClassOf": [
{
"@id": "d3f:T1547"
},
{
"@id": "_:N318beb7c4381451eba92f32e7ac9e384"
}
]
},
{
"@id": "_:N318beb7c4381451eba92f32e7ac9e384",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:UserLogonInitResource"
}
},
{
"@id": "d3f:FileMountEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a file system or storage volume is mounted, making its files and directories accessible to the operating system or applications.",
"rdfs:label": "File Mount Event",
"rdfs:subClassOf": {
"@id": "d3f:FileEvent"
}
},
{
"@id": "d3f:RemoteTerminalSession",
"@type": "owl:Class",
"d3f:definition": "A remote terminal session is a session that provides a user access from one host to another host via a terminal.",
"rdfs:label": "Remote Terminal Session",
"rdfs:subClassOf": {
"@id": "d3f:NetworkSession"
}
},
{
"@id": "d3f:HardwareDeviceEvent",
"@type": "owl:Class",
"d3f:definition": "An event capturing the existence, state, or interaction of hardware or virtual devices within a system. Device events encompass activities such as discovery, connection, disconnection, operational state changes, or configuration modifications, providing visibility into device behavior and health.",
"rdfs:label": "Hardware Device Event",
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalEvent"
},
{
"@id": "_:N304ba1dd74e94a31862d9a6987a54089"
}
]
},
{
"@id": "_:N304ba1dd74e94a31862d9a6987a54089",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:Process",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:ProcessImage"
},
"d3f:definition": "A process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. A computer program is a passive collection of instructions, while a process is the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed.",
"d3f:instructed-by": {
"@id": "d3f:Software"
},
"d3f:may-execute": {
"@id": "d3f:Thread"
},
"d3f:process-image-path": {
"@id": "d3f:ExecutableBinary"
},
"d3f:process-user": {
"@id": "d3f:UserAccount"
},
"d3f:uses": {
"@id": "d3f:Resource"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Process_(computing)"
},
"rdfs:label": "Process",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/objects/process"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N2a357b7adbe743a98a8908fc79ca46c0"
},
{
"@id": "_:N2add947d4f7343e9a81c7823478d6ba2"
},
{
"@id": "_:Nfba33db595d8480ab00f6ef692cfe0d6"
},
{
"@id": "_:N1e8222a50864461da4c05424650ade35"
},
{
"@id": "_:Nf573f962214d436aab971f6bc0149ba5"
},
{
"@id": "_:N1a6fcd88cbde4dbdb140d98aa17927b8"
},
{
"@id": "_:N56a129a50f54484999457ce4a3c4e84b"
},
{
"@id": "_:N5fd234b81b7941d1aee3e35f50be7189"
},
{
"@id": "_:N06e503787e664488b91ca8df74a18306"
},
{
"@id": "_:Na7c331a3d0b1479482acb96422d73a1a"
}
]
},
{
"@id": "_:N2a357b7adbe743a98a8908fc79ca46c0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessImage"
}
},
{
"@id": "_:N2add947d4f7343e9a81c7823478d6ba2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:instructed-by"
},
"owl:someValuesFrom": {
"@id": "d3f:Software"
}
},
{
"@id": "_:Nfba33db595d8480ab00f6ef692cfe0d6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-execute"
},
"owl:someValuesFrom": {
"@id": "d3f:Thread"
}
},
{
"@id": "_:N1e8222a50864461da4c05424650ade35",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:process-image-path"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableBinary"
}
},
{
"@id": "_:Nf573f962214d436aab971f6bc0149ba5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:process-user"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "_:N1a6fcd88cbde4dbdb140d98aa17927b8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:uses"
},
"owl:someValuesFrom": {
"@id": "d3f:Resource"
}
},
{
"@id": "_:N56a129a50f54484999457ce4a3c4e84b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:process-command-line-arguments"
},
"owl:someValuesFrom": {
"@id": "xsd:string"
}
},
{
"@id": "_:N5fd234b81b7941d1aee3e35f50be7189",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:process-environmental-variables"
},
"owl:someValuesFrom": {
"@id": "xsd:string"
}
},
{
"@id": "_:N06e503787e664488b91ca8df74a18306",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:process-identifier"
},
"owl:someValuesFrom": {
"@id": "xsd:integer"
}
},
{
"@id": "_:Na7c331a3d0b1479482acb96422d73a1a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:process-security-context"
},
"owl:someValuesFrom": {
"@id": "xsd:string"
}
},
{
"@id": "d3f:CWE-153",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-153",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.",
"rdfs:label": "Improper Neutralization of Substitution Characters",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:T1613",
"@type": "owl:Class",
"d3f:attack-id": "T1613",
"d3f:definition": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.",
"rdfs:label": "Container and Resource Discovery",
"rdfs:subClassOf": {
"@id": "d3f:DiscoveryTechnique"
}
},
{
"@id": "d3f:CWE-1023",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1023",
"d3f:definition": "The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.",
"rdfs:label": "Incomplete Comparison with Missing Factors",
"rdfs:subClassOf": {
"@id": "d3f:CWE-697"
}
},
{
"@id": "d3f:CWE-102",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-102",
"d3f:definition": "The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.",
"rdfs:label": "Struts: Duplicate Validation Forms",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1173"
},
{
"@id": "d3f:CWE-694"
}
]
},
{
"@id": "d3f:CWE-1043",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1043",
"d3f:definition": "The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.",
"rdfs:label": "Data Element Aggregating an Excessively Large Number of Non-Primitive Elements",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1093"
}
},
{
"@id": "d3f:T1552",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:Credential"
},
"d3f:attack-id": "T1552",
"d3f:definition": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)",
"rdfs:label": "Unsecured Credentials",
"rdfs:subClassOf": [
{
"@id": "d3f:CredentialAccessTechnique"
},
{
"@id": "_:N50bd9c845e344a99a088a5a921ee40f7"
}
]
},
{
"@id": "_:N50bd9c845e344a99a088a5a921ee40f7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:Credential"
}
},
{
"@id": "d3f:CCI-000198_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces minimum password lifetime restrictions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:StrongPasswordPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-15T00:00:00"
},
"rdfs:label": "CCI-000198"
},
{
"@id": "d3f:T1056",
"@type": "owl:Class",
"d3f:attack-id": "T1056",
"d3f:definition": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).",
"rdfs:label": "Input Capture",
"rdfs:subClassOf": [
{
"@id": "d3f:CollectionTechnique"
},
{
"@id": "d3f:CredentialAccessTechnique"
}
]
},
{
"@id": "d3f:T1078",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1078",
"d3f:definition": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.",
"d3f:produces": [
{
"@id": "d3f:Authentication"
},
{
"@id": "d3f:Authorization"
}
],
"d3f:uses": {
"@id": "d3f:UserAccount"
},
"rdfs:label": "Valid Accounts",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:InitialAccessTechnique"
},
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
},
{
"@id": "_:N50eb2b3eaf5f4999b8239f76210336a8"
},
{
"@id": "_:N4f2143491ce9464598893699b63bf166"
},
{
"@id": "_:N547f15be045e4c2aba6ee4d273747ca3"
}
]
},
{
"@id": "_:N50eb2b3eaf5f4999b8239f76210336a8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:Authentication"
}
},
{
"@id": "_:N4f2143491ce9464598893699b63bf166",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:Authorization"
}
},
{
"@id": "_:N547f15be045e4c2aba6ee4d273747ca3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:uses"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:display-baseurl",
"@type": "owl:AnnotationProperty",
"d3f:definition": "A base string to use as prefix to create a full URL for an entity. The baseurl must end in a forward slash: /",
"rdfs:label": "display-baseurl",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-display-annotation"
}
},
{
"@id": "d3f:CWE-506",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-506",
"d3f:definition": "The product contains code that appears to be malicious in nature.",
"rdfs:label": "Embedded Malicious Code",
"rdfs:subClassOf": {
"@id": "d3f:CWE-912"
}
},
{
"@id": "d3f:Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2016-04-004/"
},
"d3f:kb-reference-of": {
"@id": "d3f:LocalAccountMonitoring"
},
"d3f:kb-reference-title": "Reference - CAR-2016-04-004: Successful Local Account Login",
"rdfs:label": "Reference - CAR-2016-04-004: Successful Local Account Login"
},
{
"@id": "d3f:WriteMemory",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:modifies": {
"@id": "d3f:MemoryBlock"
},
"rdfs:label": "Write Memory",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Nacd42fd3d3a2492491968a42a2b3bd8b"
}
]
},
{
"@id": "_:Nacd42fd3d3a2492491968a42a2b3bd8b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryBlock"
}
},
{
"@id": "d3f:CWE-646",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-646",
"d3f:definition": "The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.",
"rdfs:label": "Reliance on File Name or Extension of Externally-Supplied File",
"rdfs:subClassOf": {
"@id": "d3f:CWE-345"
}
},
{
"@id": "d3f:CCI-001425_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-25T00:00:00"
},
"rdfs:label": "CCI-001425"
},
{
"@id": "d3f:CWE-1124",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1124",
"d3f:definition": "The code contains a callable or other code grouping in which the nesting / branching is too deep.",
"rdfs:label": "Excessively Deep Nesting",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1120"
}
},
{
"@id": "d3f:T1021.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1021.001",
"d3f:creates": {
"@id": "d3f:RDPSession"
},
"d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.",
"d3f:produces": {
"@id": "d3f:AdministrativeNetworkTraffic"
},
"rdfs:label": "Remote Desktop Protocol",
"rdfs:subClassOf": [
{
"@id": "d3f:T1021"
},
{
"@id": "_:Ne632fdc155a543d29c33a6dfdc060ff8"
},
{
"@id": "_:N283b2cde4f3a49dfa3853cc5f56349de"
}
]
},
{
"@id": "_:Ne632fdc155a543d29c33a6dfdc060ff8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:RDPSession"
}
},
{
"@id": "_:N283b2cde4f3a49dfa3853cc5f56349de",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:AdministrativeNetworkTraffic"
}
},
{
"@id": "d3f:CWE-46",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-46",
"d3f:definition": "The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
"rdfs:label": "Path Equivalence: 'filename ' (Trailing Space)",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-162"
},
{
"@id": "d3f:CWE-41"
}
]
},
{
"@id": "d3f:Reference-PreventingExecutionOfTaskScheduledMalware_McAfeeLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20160105450A1"
},
"d3f:kb-abstract": "A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval.",
"d3f:kb-author": "Anil Ramabhatta, Harinath Vishwanath Ramachetty, Nandi Dharma Kishore",
"d3f:kb-mitre-analysis": "Access to a job scheduler is intercepted using hooking or file filters to identify and analyze the source files, processes, destination files, or destination servers associated with a scheduled job. The identified servers or files associated with a job are compared against an anti-malware signature database or reputation server to determine if it there is a match. If so, execution is denied and an alert is generated.",
"d3f:kb-organization": "McAfee LLC",
"d3f:kb-reference-of": {
"@id": "d3f:ScheduledJobAnalysis"
},
"d3f:kb-reference-title": "Preventing execution of task scheduled malware",
"rdfs:label": "Reference - Preventing execution of task scheduled malware - McAfee LLC"
},
{
"@id": "d3f:process-security-context",
"@type": "owl:DatatypeProperty",
"d3f:definition": "x process-security-context y: The process x has the process security context data y.",
"rdfs:domain": {
"@id": "d3f:Process"
},
"rdfs:label": "process-security-context",
"rdfs:subPropertyOf": {
"@id": "d3f:process-data-property"
}
},
{
"@id": "d3f:LinuxRename",
"@type": "owl:Class",
"d3f:definition": "Change the name or location of a file.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/rename.2.html"
},
"rdfs:label": "Linux Rename",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIMoveFile"
}
},
{
"@id": "d3f:OSAPIGetThreadContext",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that retrieves the execution context or state of a specific thread in a process.",
"d3f:invokes": {
"@id": "d3f:GetThreadContext"
},
"rdfs:label": "OS API Get Thread Context",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:N5d163dde801b40f18a5ba183b468e63b"
}
]
},
{
"@id": "_:N5d163dde801b40f18a5ba183b468e63b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:GetThreadContext"
}
},
{
"@id": "d3f:CCI-002688_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:FileContentRules"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system discovers indicators of compromise.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002688"
},
{
"@id": "d3f:injects",
"@type": "owl:ObjectProperty",
"d3f:definition": "x injects y: The subject x takes the action of exploiting a security flaw by introducing (injecting) y, which is code or data that will change the course of execution or state of a computing process to an alternate course or state. Typically code injection is associated with adversaries intending the alternate course to facilitate a malevolent purpose; however, code injection can be unintentional or the intentions behind it may be good or benign.",
"rdfs:label": "injects",
"rdfs:seeAlso": [
{
"@id": "dbr:Code_injection"
},
{
"@id": "http://wordnet-rdf.princeton.edu/id/00916722-v"
}
],
"rdfs:subPropertyOf": {
"@id": "d3f:executes"
}
},
{
"@id": "d3f:CCI-002717_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:FileHashing"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to firmware.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002717"
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20160359883A1"
},
"d3f:kb-abstract": "In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.",
"d3f:kb-author": "Fraser Howard; Paul Baccas; Vanja Svajcer; Benjamin John Godwood; William James McCourt",
"d3f:kb-mitre-analysis": "This patent describes analyzing contextual information of a Uniform Resource Identifier (URI), such as source or origin of the request URI, patterns in the way the URI is delivered, and the locale of the URI. The contextual information is sent to a scanning facility which uses that information along with a blacklist of known malicious domain names, locations, patterns, etc. to block retrieved content associated with the request URI.",
"d3f:kb-organization": "Sophos Ltd",
"d3f:kb-reference-of": {
"@id": "d3f:URLAnalysis"
},
"d3f:kb-reference-title": "Method and system for detecting restricted content associated with retrieved content",
"rdfs:label": "Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltd"
},
{
"@id": "d3f:OperatingMode",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "The Operating Mode designates the specific, selectable state of an OT controller that delineates its operational behavior and governs access to engineering functions, commonly including Program, Run, Remote, Test, or Stop.",
"d3f:synonym": "Keyswitch Position",
"rdfs:label": "Operating Mode",
"rdfs:subClassOf": {
"@id": "d3f:SystemPlatformVariable"
}
},
{
"@id": "d3f:Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-11-007/"
},
"d3f:kb-abstract": "Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-11-007: Network Share Connection Removal",
"rdfs:label": "Reference - CAR-2020-11-007: Network Share Connection Removal - MITRE"
},
{
"@id": "d3f:CCI-001495_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system protects audit tools from unauthorized deletion.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:PlatformHardening"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-29T00:00:00"
},
"rdfs:label": "CCI-001495"
},
{
"@id": "d3f:ASCIIDomainName",
"@type": [
"owl:NamedIndividual",
"d3f:DomainName"
],
"rdfs:label": "ASCII Domain Name"
},
{
"@id": "d3f:employs",
"@type": "owl:ObjectProperty",
"d3f:definition": "x employs y: The entity x makes purposeful use of entity y to perform a function.",
"rdfs:label": "employs",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:MicrosoftWordDOTMFile",
"@type": [
"owl:NamedIndividual",
"d3f:DocumentFile"
],
"rdfs:label": "Microsoft Word DOTM File"
},
{
"@id": "d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20090077645A1"
},
"d3f:kb-abstract": "Methods, systems and machine-readable media for authenticating an end user for a client application are disclosed. According to one embodiment of the invention, a method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures comprises receiving end user identity information and security information at the client application; sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information; comparing the received authentication token with the security information; if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.",
"d3f:kb-author": "Buddhika Nandana Kottahachchi",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Oracle International Corp",
"d3f:kb-reference-of": {
"@id": "d3f:AccountLocking"
},
"d3f:kb-reference-title": "Framework for notifying a directory service of authentication events processed outside the directory service",
"rdfs:label": "Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corp"
},
{
"@id": "d3f:ArtificialNeuralNetClassification",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-annotation": "Classification ANNs seek to classify an observation as belonging to some discrete class as a function of the inputs. The input features (independent variables) can be categorical or numeric types, however, we require a categorical feature as the dependent variable.",
"d3f:d3fend-id": "D3A-ANNC",
"d3f:kb-article": "## References\nANN Classification. [Link](http://uc-r.github.io/ann_classification).",
"rdfs:label": "Artificial Neural Network Classification",
"rdfs:subClassOf": {
"@id": "d3f:Classification"
}
},
{
"@id": "d3f:UserAccountLockEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a user account is locked out due to failed authentication attempts or administrative action.",
"rdfs:label": "User Account Lock Event",
"rdfs:subClassOf": [
{
"@id": "d3f:UserAccountEvent"
},
{
"@id": "_:N8144b658061f4a6490ccd7063883edba"
}
]
},
{
"@id": "_:N8144b658061f4a6490ccd7063883edba",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccountCreationEvent"
}
},
{
"@id": "d3f:T1053.001",
"@type": "owl:Class",
"d3f:attack-id": "T1053.001",
"d3f:definition": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1053.002",
"rdfs:label": "At (Linux) Execution",
"rdfs:seeAlso": "T1053.002",
"rdfs:subClassOf": {
"@id": "d3f:T1053"
}
},
{
"@id": "d3f:InboundInternetDNSResponseTraffic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Inbound internet DNS response traffic is DNS response traffic from a host outside a given network initiated on an incoming connection to a host inside that network.",
"rdfs:label": "Inbound Internet DNS Response Traffic",
"rdfs:subClassOf": {
"@id": "d3f:InboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20150264070A1"
},
"d3f:kb-abstract": "A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers.",
"d3f:kb-author": "James Patrick HARLACHER; Aditya Sood; Oskar Ibatullin",
"d3f:kb-mitre-analysis": "This patent describes detecting algorithm generated domains (AGD). DNS requests and responses are analyzed by first checking whether the domain matches existing data sets that specify different types of AGDs with known characteristics, such as Evil Twin Domains, Sinkholed domains, sleeper cells, ghost domains, parked domains, and/or bulk-registered domains. In addition to comparing domains against known data sets, the following information is collected to perform analysis:\n\n* IP Information: checks for information known about the IP addresses returned in the DNS response, including the number of IP addresses returned, the registered owners of the IP addresses, or different IP addresses returned for the same domain (IP fluxing)\n* Domain Registration: examines the domain registration date, domain update date, domain expiration date, registrant identity, and authorized name servers associated with a specific domain name.\n* Domain Popularity: provides information on the popularity of a domain name.\n\nBased on analysis of these factors a score is developed; if the score is above a certain threshold, an alert is generated.",
"d3f:kb-organization": "VECTRA NETWORKS Inc",
"d3f:kb-reference-of": {
"@id": "d3f:DNSTrafficAnalysis"
},
"d3f:kb-reference-title": "Method and system for detecting algorithm-generated domains",
"rdfs:label": "Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Inc"
},
{
"@id": "d3f:CWE-267",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-267",
"d3f:definition": "A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.",
"rdfs:label": "Privilege Defined With Unsafe Actions",
"rdfs:subClassOf": {
"@id": "d3f:CWE-269"
}
},
{
"@id": "d3f:CCI-002710_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:DriverLoadIntegrityChecking"
},
{
"@id": "d3f:FileHashing"
},
{
"@id": "d3f:PointerAuthentication"
},
{
"@id": "d3f:TPMBootIntegrity"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002710"
},
{
"@id": "d3f:CWE-547",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-547",
"d3f:definition": "The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.",
"rdfs:label": "Use of Hard-coded, Security-relevant Constants",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1078"
}
},
{
"@id": "d3f:T1564.008",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1564.008",
"d3f:definition": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)",
"d3f:may-create": {
"@id": "d3f:EmailRule"
},
"d3f:may-modify": {
"@id": "d3f:EmailRule"
},
"d3f:modifies": {
"@id": "d3f:ApplicationConfiguration"
},
"rdfs:label": "Email Hiding Rules",
"rdfs:subClassOf": [
{
"@id": "d3f:T1564"
},
{
"@id": "_:N9b5b549941004cb2b19aefb76d62ffe2"
},
{
"@id": "_:N6dde591473404554b7525b0924898983"
},
{
"@id": "_:N6635fbda9bd54c59a1397c4f6cdcdb17"
}
]
},
{
"@id": "_:N9b5b549941004cb2b19aefb76d62ffe2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:EmailRule"
}
},
{
"@id": "_:N6dde591473404554b7525b0924898983",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:EmailRule"
}
},
{
"@id": "_:N6635fbda9bd54c59a1397c4f6cdcdb17",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ApplicationConfiguration"
}
},
{
"@id": "d3f:CWE-1056",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1056",
"d3f:definition": "A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.",
"rdfs:label": "Invokable Control Element with Variadic Parameters",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1120"
}
},
{
"@id": "d3f:T1036",
"@type": "owl:Class",
"d3f:attack-id": "T1036",
"d3f:definition": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.",
"rdfs:label": "Masquerading",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-15",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Alternate Audit Logging Capability",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:LocalAccountMonitoring"
},
"rdfs:label": "AU-15"
},
{
"@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension",
"@type": [
"owl:NamedIndividual",
"d3f:UserManualReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://docs.librenms.org/Extensions/Network-Map/"
},
"d3f:kb-abstract": "LibreNMS has the ability to show you a network map based on:\n* xDP Discovery\n* MAC addresses",
"d3f:kb-organization": "LibreNMS.org",
"d3f:kb-reference-of": {
"@id": "d3f:NetworkMapping"
},
"d3f:kb-reference-title": "Libre NMS - Network Map Extension",
"rdfs:label": "Reference - Libre NMS - Network Map Extension"
},
{
"@id": "d3f:CCI-000163_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system protects audit information from unauthorized modification.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:PlatformHardening"
},
{
"@id": "d3f:SystemConfigurationPermissions"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-22T00:00:00"
},
"rdfs:label": "CCI-000163"
},
{
"@id": "d3f:CWE-114",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-114",
"d3f:definition": "Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.",
"rdfs:label": "Process Control",
"rdfs:subClassOf": {
"@id": "d3f:CWE-73"
}
},
{
"@id": "d3f:CWE-1310",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1310",
"d3f:definition": "Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.",
"rdfs:label": "Missing Ability to Patch ROM Code",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1329"
}
},
{
"@id": "d3f:CWE-140",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-140",
"d3f:definition": "The product does not neutralize or incorrectly neutralizes delimiters.",
"rdfs:label": "Improper Neutralization of Delimiters",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:SystemInitConfigAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:SystemInitConfigAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:SystemInitConfiguration"
},
"d3f:d3fend-id": "D3-SICA",
"d3f:definition": "Analysis of any system process startup configuration.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-AutorunDifferences_MITRE"
},
{
"@id": "d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE"
},
{
"@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE"
}
],
"d3f:synonym": [
"Autorun Analysis",
"Startup Analysis"
],
"rdfs:label": "System Init Config Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:OperatingSystemMonitoring"
},
{
"@id": "_:Nc4ed88f74da64382915c7ef1a1613730"
}
],
"skos:altLabel": "System Initialization Configuration Analysis"
},
{
"@id": "_:Nc4ed88f74da64382915c7ef1a1613730",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemInitConfiguration"
}
},
{
"@id": "d3f:Second-stageBootLoader",
"@type": "owl:Class",
"d3f:definition": "An optional, often feature rich, second stage set of routines run in order to load the operating system.",
"rdfs:label": "Second-stage Boot Loader",
"rdfs:subClassOf": {
"@id": "d3f:BootLoader"
}
},
{
"@id": "d3f:SystemConfigurationPermissions",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:SystemConfigurationPermissions"
],
"d3f:d3fend-id": "D3-SCP",
"d3f:definition": "Restricting system configuration modifications to a specific user or group of users.",
"d3f:kb-reference": {
"@id": "d3f:Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript"
},
"d3f:restricts": {
"@id": "d3f:SystemConfigurationDatabase"
},
"rdfs:label": "System Configuration Permissions",
"rdfs:subClassOf": [
{
"@id": "d3f:PlatformHardening"
},
{
"@id": "_:N91fb896c915b4f688bfc275c3f9a3673"
}
]
},
{
"@id": "_:N91fb896c915b4f688bfc275c3f9a3673",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricts"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabase"
}
},
{
"@id": "d3f:OTDiagnosticsMessage",
"@type": "owl:Class",
"d3f:definition": "Relay error, exception, alarm, or log information.",
"rdfs:label": "OT Diagnostics Message",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTProtocolMessage"
}
},
{
"@id": "d3f:HardwareDeviceDisabledEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a device transitions to an inactive or unavailable state, often due to deactivation, failure, or maintenance.",
"rdfs:label": "Hardware Device Disabled Event",
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDeviceStateEvent"
},
{
"@id": "_:N32602da56437416bb6ba6cb63ef1ee5f"
}
]
},
{
"@id": "_:N32602da56437416bb6ba6cb63ef1ee5f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDeviceEnabledEvent"
}
},
{
"@id": "d3f:CWE-787",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-787",
"d3f:definition": "The product writes data past the end, or before the beginning, of the intended buffer.",
"d3f:synonym": "Memory Corruption",
"d3f:weakness-of": {
"@id": "d3f:RawMemoryAccessFunction"
},
"rdfs:label": "Out-of-bounds Write",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-119"
},
{
"@id": "_:Nfb30462a0a4f402c8aa90f67681fd86d"
}
]
},
{
"@id": "_:Nfb30462a0a4f402c8aa90f67681fd86d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:RawMemoryAccessFunction"
}
},
{
"@id": "d3f:ArchiveFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An archive file is a file that is composed of one or more computer files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compress files to use less storage space. Archive files often store directory structures, error detection and correction information, arbitrary comments, and sometimes use built-in encryption.",
"rdfs:isDefinedBy": {
"@id": "dbr:Archive_file"
},
"rdfs:label": "Archive File",
"rdfs:subClassOf": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:DisplayDeviceDriver",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A device driver for a display adapter.",
"d3f:drives": {
"@id": "d3f:DisplayAdapter"
},
"rdfs:label": "Display Device Driver",
"rdfs:seeAlso": [
{
"@id": "dbr:Device_driver"
},
{
"@id": "dbr:Display_adapter"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDriver"
},
{
"@id": "_:N28002c0a6918489abc73d78f42d92c6e"
}
]
},
{
"@id": "_:N28002c0a6918489abc73d78f42d92c6e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:drives"
},
"owl:someValuesFrom": {
"@id": "d3f:DisplayAdapter"
}
},
{
"@id": "d3f:T1036.010",
"@type": "owl:Class",
"d3f:attack-id": "T1036.010",
"d3f:definition": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)",
"rdfs:label": "Masquerade Account Name",
"rdfs:subClassOf": {
"@id": "d3f:T1036"
}
},
{
"@id": "d3f:Semi-supervisedFeatureExtraction",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSFE",
"d3f:definition": "Feature extraction refers to reducing the number of dimensions in a data point so that it is computationally feasible and effective to learn a model.",
"d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
"rdfs:label": "Semi-supervised Feature Extraction",
"rdfs:subClassOf": {
"@id": "d3f:UnsupervisedPreprocessing"
}
},
{
"@id": "d3f:Evict",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DefensiveTactic"
],
"d3f:definition": "The eviction tactic is used to remove an adversary from a computer network.",
"d3f:display-order": 4,
"d3f:display-priority": 0,
"rdfs:label": "Evict",
"rdfs:subClassOf": {
"@id": "d3f:DefensiveTactic"
}
},
{
"@id": "d3f:Reference-HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.networkworld.com/article/3331199/what-does-aslr-do-for-linux.html"
},
"d3f:kb-abstract": "ASLR (Address Space Layout Randomization) is a memory exploitation mitigation technique used on both Linux and Windows systems. Learn how to tell if it's running, enable/disable it, and get a view of how it works.",
"d3f:kb-author": "Sandra Henry-Stocker",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Network World",
"d3f:kb-reference-of": {
"@id": "d3f:SegmentAddressOffsetRandomization"
},
"d3f:kb-reference-title": "How ASLR protects Linux systems from buffer overflow attacks",
"rdfs:label": "Reference - How ASLR protects Linux systems from buffer overflow attacks - Network World"
},
{
"@id": "d3f:T1546.010",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1546.010",
"d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)",
"d3f:invokes": {
"@id": "d3f:CreateProcess"
},
"d3f:loads": {
"@id": "d3f:SharedLibraryFile"
},
"d3f:modifies": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
"rdfs:label": "AppInit DLLs",
"rdfs:subClassOf": [
{
"@id": "d3f:T1546"
},
{
"@id": "_:Nf4a5102b98fc4ab79fa4e5769ebeb45f"
},
{
"@id": "_:N0d5c126f097d4e1da2891f2bd942aae9"
},
{
"@id": "_:Nf5d7426847054c729ae60a148c22b7a8"
}
]
},
{
"@id": "_:Nf4a5102b98fc4ab79fa4e5769ebeb45f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "_:N0d5c126f097d4e1da2891f2bd942aae9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:loads"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "_:Nf5d7426847054c729ae60a148c22b7a8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
}
},
{
"@id": "d3f:CWE-1088",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1088",
"d3f:definition": "The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.",
"rdfs:label": "Synchronous Access of Remote Resource without Timeout",
"rdfs:subClassOf": {
"@id": "d3f:CWE-821"
}
},
{
"@id": "d3f:LogFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:Log"
},
"d3f:definition": "A log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file.\n\nA transaction log is a file (i.e., log) of the communications between a system and the users of that system, or a data collection method that automatically captures the type, content, or time of transactions made by a person from a terminal with that system. For Web searching, a transaction log is an electronic record of interactions that have occurred during a searching episode between a Web search engine and users searching for information on that Web search engine.\n\nMany operating systems, software frameworks and programs include a logging system. A widely used logging standard is syslog, defined in Internet Engineering Task Force (IETF) RFC 5424). The syslog standard enables a dedicated, standardized subsystem to generate, filter, record, and analyze log messages. This relieves software developers of having to design and code their own ad hoc logging systems.",
"rdfs:isDefinedBy": {
"@id": "dbr:Log_file"
},
"rdfs:label": "Log File",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/06515875-n"
},
"rdfs:subClassOf": [
{
"@id": "d3f:File"
},
{
"@id": "_:Nb5fa6cb6d3c64f3ebe7eea5250cb4d17"
}
]
},
{
"@id": "_:Nb5fa6cb6d3c64f3ebe7eea5250cb4d17",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:Log"
}
},
{
"@id": "d3f:VolumeSnapshot",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A volume snapshot is a point-in-time copy of a storage volume.",
"rdfs:isDefinedBy": {
"@id": "https://kubernetes-csi.github.io/docs/snapshot-restore-feature.html"
},
"rdfs:label": "Volume Snapshot",
"rdfs:seeAlso": {
"@id": "https://en.wikipedia.org/wiki/Shadow_Copy"
},
"rdfs:subClassOf": {
"@id": "d3f:StorageSnapshot"
}
},
{
"@id": "d3f:DecoyObject",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DecoyObject"
],
"d3f:d3fend-id": "D3-DO",
"d3f:definition": "A Decoy Object is created and deployed for the purposes of deceiving attackers.",
"d3f:enables": {
"@id": "d3f:Deceive"
},
"d3f:kb-article": "## Technique Overview\nDecoy objects are typically configured with detectable means of communication but do not have any legitimate business purpose. Any communication via or to these objects should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.",
"d3f:synonym": "Lure",
"rdfs:label": "Decoy Object",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:N6693f6adbbb04755a1a9b36f6e9106b6"
}
]
},
{
"@id": "_:N6693f6adbbb04755a1a9b36f6e9106b6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Deceive"
}
},
{
"@id": "d3f:Dependency",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A dependency is the relationship of relying on or being controlled by someone or something else. This class reifies dependencies that correspond to the object property depends-on.",
"d3f:dependent": {
"@id": "d3f:D3FENDCore"
},
"d3f:provider": {
"@id": "d3f:D3FENDCore"
},
"rdfs:label": "Dependency",
"rdfs:seeAlso": [
{
"@id": "http://wordnet-rdf.princeton.edu/id/14024833-n"
},
{
"@id": "https://www.cisa.gov/what-are-dependencies"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N3c3edd6bd9a64637926b0ad85365a62e"
},
{
"@id": "_:Nf5d39844bf26497d91d640fe623cce1c"
}
]
},
{
"@id": "_:N3c3edd6bd9a64637926b0ad85365a62e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:dependent"
},
"owl:someValuesFrom": {
"@id": "d3f:D3FENDCore"
}
},
{
"@id": "_:Nf5d39844bf26497d91d640fe623cce1c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:provider"
},
"owl:someValuesFrom": {
"@id": "d3f:D3FENDCore"
}
},
{
"@id": "d3f:T1550.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1550.001",
"d3f:definition": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.",
"d3f:may-produce": {
"@id": "d3f:NetworkTraffic"
},
"d3f:uses": {
"@id": "d3f:AccessToken"
},
"rdfs:label": "Application Access Token",
"rdfs:subClassOf": [
{
"@id": "d3f:T1550"
},
{
"@id": "_:N846839e98c1d4b359e6ec7fb445b92fa"
},
{
"@id": "_:N48210cd5ecc646eb8a9f68563e89adc5"
}
]
},
{
"@id": "_:N846839e98c1d4b359e6ec7fb445b92fa",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-produce"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "_:N48210cd5ecc646eb8a9f68563e89adc5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:uses"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessToken"
}
},
{
"@id": "d3f:IntervalEstimation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-IE",
"d3f:definition": "Interval estimation is the use of sample data to estimate an interval of possible values of a parameter of interest.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Interval estimation. [Link](https://en.wikipedia.org/wiki/Interval_estimation)",
"rdfs:label": "Interval Estimation",
"rdfs:subClassOf": {
"@id": "d3f:Estimation"
}
},
{
"@id": "d3f:CWE-287",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-287",
"d3f:definition": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.",
"d3f:synonym": [
"AuthC",
"AuthN",
"authentification"
],
"d3f:weakness-of": {
"@id": "d3f:AuthenticationFunction"
},
"rdfs:label": "Improper Authentication",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-284"
},
{
"@id": "_:N582f433277b1423ab4c32565b0a83e22"
}
]
},
{
"@id": "_:N582f433277b1423ab4c32565b0a83e22",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:AuthenticationFunction"
}
},
{
"@id": "d3f:CWE-1338",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1338",
"d3f:definition": "A hardware device is missing or has inadequate protection features to prevent overheating.",
"rdfs:label": "Improper Protections Against Hardware Overheating",
"rdfs:subClassOf": {
"@id": "d3f:CWE-693"
}
},
{
"@id": "d3f:CWE-916",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-916",
"d3f:definition": "The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.",
"rdfs:label": "Use of Password Hash With Insufficient Computational Effort",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-327"
},
{
"@id": "d3f:CWE-328"
}
]
},
{
"@id": "d3f:MultilayerPerceptronClassification",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-MPC",
"d3f:definition": "A multilayer perceptron (MLP) is a fully connected class of feedforward artificial neural network (ANN).An MLP consists of at least three layers of nodes: an input layer, a hidden layer and an output layer.",
"d3f:kb-article": "## References\nMultilayer perceptron. Wikipedia. [Link](https://en.wikipedia.org/wiki/Multilayer_perceptron).",
"rdfs:label": "Multilayer Perceptron Classification",
"rdfs:subClassOf": {
"@id": "d3f:ArtificialNeuralNetClassification"
}
},
{
"@id": "d3f:DriverLoadIntegrityChecking",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DriverLoadIntegrityChecking"
],
"d3f:authenticates": {
"@id": "d3f:HardwareDriver"
},
"d3f:d3fend-id": "D3-DLIC",
"d3f:definition": "Ensuring the integrity of drivers loaded during initialization of the operating system.",
"d3f:kb-article": "## How it works\nThis technique can be accomplished in a number of ways:\n\n* A kernel level security agent installed on a host machine ensures that the driver associated with the agent is first in the initialization order. A dependent DLL associated with the driver is configured to be processed before other dependent DLLs and executes a number of operations to ensure the driver associated with the security agent is initialized first.\n\n* Kernel components can be signed by a certificate obtained by a third party to verify the source of the component and whether it has been modified. When signed, the component will include a signature block implemented as a hash value of the component header and can also include a certificate chain. The signature and certificate data are typically added before the kernel component is distributed to the public.\n\n\n## Considerations\n\n* The private keys to sign certificates as reputable companies have been stolen in the past -- in cases such as where certificates from Adobe, Realtek, and JMicron have been used to sign malicious executables. (Source: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/#gref)\n\n* Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name.\n\n* It may not be difficult for an attacker to start an organization which can obtain a signed certificate.\n\n* A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc"
},
{
"@id": "d3f:Reference-ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC"
}
],
"rdfs:label": "Driver Load Integrity Checking",
"rdfs:subClassOf": [
{
"@id": "d3f:PlatformHardening"
},
{
"@id": "_:N199fdc9480874ab1b68dc071cfaaf14f"
}
]
},
{
"@id": "_:N199fdc9480874ab1b68dc071cfaaf14f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:authenticates"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDriver"
}
},
{
"@id": "d3f:T1588.002",
"@type": "owl:Class",
"d3f:attack-id": "T1588.002",
"d3f:definition": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)",
"rdfs:label": "Tool",
"rdfs:subClassOf": {
"@id": "d3f:T1588"
}
},
{
"@id": "d3f:T1078.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1078.002",
"d3f:definition": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)",
"d3f:uses": {
"@id": "d3f:DomainUserAccount"
},
"rdfs:label": "Domain Accounts",
"rdfs:subClassOf": [
{
"@id": "d3f:T1078"
},
{
"@id": "_:N25457b6a6a1b4f4783957138902b259e"
}
]
},
{
"@id": "_:N25457b6a6a1b4f4783957138902b259e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:uses"
},
"owl:someValuesFrom": {
"@id": "d3f:DomainUserAccount"
}
},
{
"@id": "d3f:T1112",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1112",
"d3f:definition": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.",
"d3f:modifies": {
"@id": "d3f:WindowsRegistry"
},
"rdfs:label": "Modify Registry",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "_:N0ff3c4ed4bb44490a9fd37f02a72e21d"
}
]
},
{
"@id": "_:N0ff3c4ed4bb44490a9fd37f02a72e21d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistry"
}
},
{
"@id": "_:Ncff91b81b38d435584c7c77fff69e812",
"@type": "owl:AllDisjointClasses",
"owl:members": {
"@list": [
{
"@id": "d3f:CoefficientOfVariation"
},
{
"@id": "d3f:InterquartileRange"
},
{
"@id": "d3f:MeanAbsoluteDeviation"
},
{
"@id": "d3f:MedianAbsoluteDeviation"
},
{
"@id": "d3f:Range"
},
{
"@id": "d3f:StandardDeviation"
},
{
"@id": "d3f:Variance"
}
]
}
},
{
"@id": "d3f:OpticalDiscImage",
"@type": "owl:Class",
"d3f:definition": "An optical disc image (or ISO image, from the ISO 9660 file system used with CD-ROM media) is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system.",
"rdfs:isDefinedBy": {
"@id": "https://en.wikipedia.org/wiki/Optical_disc_image"
},
"rdfs:label": "Optical Disc Image",
"rdfs:seeAlso": {
"@id": "https://dbpedia.org/resource/Optical_disc_image"
},
"rdfs:subClassOf": {
"@id": "d3f:DiskImage"
}
},
{
"@id": "d3f:T1053.003",
"@type": "owl:Class",
"d3f:attack-id": "T1053.003",
"d3f:definition": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.",
"rdfs:label": "Cron",
"rdfs:subClassOf": {
"@id": "d3f:T1053"
}
},
{
"@id": "d3f:SystemFirmware",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Firmware that is installed on a computer's main board which manages the initial boot process. It can also continue to run or function after the operating system boots.",
"rdfs:label": "System Firmware",
"rdfs:subClassOf": {
"@id": "d3f:Firmware"
},
"skos:altLabel": [
"BIOS Firmware",
"UEFI Firmware"
]
},
{
"@id": "d3f:InitialAccessTechnique",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:enables": {
"@id": "d3f:TA0001"
},
"rdfs:label": "Initial Access Technique",
"rdfs:subClassOf": [
{
"@id": "d3f:ATTACKEnterpriseTechnique"
},
{
"@id": "d3f:OffensiveTechnique"
},
{
"@id": "_:N15f36adb0a584c2da81b43f9c8e862a5"
}
]
},
{
"@id": "_:N15f36adb0a584c2da81b43f9c8e862a5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:TA0001"
}
},
{
"@id": "d3f:T1595.003",
"@type": "owl:Class",
"d3f:attack-id": "T1595.003",
"d3f:definition": "Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).",
"rdfs:label": "Wordlist Scanning",
"rdfs:subClassOf": {
"@id": "d3f:T1595"
}
},
{
"@id": "d3f:ReadMemory",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:reads": {
"@id": "d3f:MemoryBlock"
},
"rdfs:label": "Read Memory",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Ncb10a2a5f2794682aae3aa97970990ab"
}
]
},
{
"@id": "_:Ncb10a2a5f2794682aae3aa97970990ab",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:reads"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryBlock"
}
},
{
"@id": "d3f:T1543.005",
"@type": "owl:Class",
"d3f:attack-id": "T1543.005",
"d3f:definition": "Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.",
"rdfs:label": "Container Service",
"rdfs:subClassOf": {
"@id": "d3f:T1543"
}
},
{
"@id": "d3f:M1034",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": {
"@id": "d3f:IOPortRestriction"
},
"rdfs:label": "Limit Hardware Installation"
},
{
"@id": "d3f:M1039",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:ApplicationConfigurationHardening"
},
{
"@id": "d3f:SystemFileAnalysis"
}
],
"rdfs:label": "Environment Variable Permissions"
},
{
"@id": "d3f:T1601",
"@type": "owl:Class",
"d3f:attack-id": "T1601",
"d3f:definition": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.",
"rdfs:label": "Modify System Image",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-2_4",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Flaw Remediation | Automated Patch Management Tools",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:SoftwareUpdate"
},
"rdfs:label": "SI-2(4)"
},
{
"@id": "d3f:may-be-tactically-associated-with",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may-be-tactically-associated-with y: the defensive action x may be a tactic that counters offensive action y.",
"rdfs:label": "may-be-tactically-associated-with",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:T1092",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1092",
"d3f:definition": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
"d3f:modifies": {
"@id": "d3f:RemovableMediaDevice"
},
"rdfs:label": "Communication Through Removable Media",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:N6be1da74e79f4f07a18381cd41f223e7"
}
]
},
{
"@id": "_:N6be1da74e79f4f07a18381cd41f223e7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:RemovableMediaDevice"
}
},
{
"@id": "d3f:T1518.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1518.001",
"d3f:definition": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
"d3f:may-access": [
{
"@id": "d3f:FileSystemMetadata"
},
{
"@id": "d3f:KernelProcessTable"
},
{
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
{
"@id": "d3f:SystemFirewallConfiguration"
}
],
"d3f:may-invoke": {
"@id": "d3f:GetRunningProcesses"
},
"rdfs:label": "Security Software Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:T1518"
},
{
"@id": "_:Ne5a69eadee7b45c7928baa3594e8f4d1"
},
{
"@id": "_:N21b7ef5ff5a7495eb9dc81ae737d0b63"
},
{
"@id": "_:N15fcaf51ac4e47caa5723e7b1f9d0563"
},
{
"@id": "_:N809bc65b9bce4fdc98443d0b23ff5f5a"
},
{
"@id": "_:N3bc885525e844ef09593ea713475e737"
}
]
},
{
"@id": "_:Ne5a69eadee7b45c7928baa3594e8f4d1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-access"
},
"owl:someValuesFrom": {
"@id": "d3f:FileSystemMetadata"
}
},
{
"@id": "_:N21b7ef5ff5a7495eb9dc81ae737d0b63",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-access"
},
"owl:someValuesFrom": {
"@id": "d3f:KernelProcessTable"
}
},
{
"@id": "_:N15fcaf51ac4e47caa5723e7b1f9d0563",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-access"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
}
},
{
"@id": "_:N809bc65b9bce4fdc98443d0b23ff5f5a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-access"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemFirewallConfiguration"
}
},
{
"@id": "_:N3bc885525e844ef09593ea713475e737",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:GetRunningProcesses"
}
},
{
"@id": "d3f:CCI-001677_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:MessageAuthentication"
},
{
"@id": "d3f:SenderMTAReputationAnalysis"
},
{
"@id": "d3f:SenderReputationAnalysis"
},
{
"@id": "d3f:TransferAgentAuthentication"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2010-05-12T00:00:00"
},
"rdfs:label": "CCI-001677"
},
{
"@id": "d3f:CWE-237",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-237",
"d3f:definition": "The product does not handle or incorrectly handles inputs that are related to complex structures.",
"rdfs:label": "Improper Handling of Structural Elements",
"rdfs:subClassOf": {
"@id": "d3f:CWE-228"
}
},
{
"@id": "d3f:CWE-523",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-523",
"d3f:definition": "Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.",
"rdfs:label": "Unprotected Transport of Credentials",
"rdfs:subClassOf": {
"@id": "d3f:CWE-522"
}
},
{
"@id": "d3f:T1070.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1070.006",
"d3f:definition": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.",
"d3f:forges": {
"@id": "d3f:FileSystemMetadata"
},
"rdfs:label": "Timestomp",
"rdfs:subClassOf": [
{
"@id": "d3f:T1070"
},
{
"@id": "_:Na5374e9f6ac54aa8bb9578ab13e6f063"
}
]
},
{
"@id": "_:Na5374e9f6ac54aa8bb9578ab13e6f063",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:forges"
},
"owl:someValuesFrom": {
"@id": "d3f:FileSystemMetadata"
}
},
{
"@id": "d3f:DatabaseServer",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:DatabaseApplication"
},
"d3f:definition": "A database server is a server which uses a database application that provides database services to other computer programs or to computers, as defined by the client-server model. Database management systems (DBMSs) frequently provide database-server functionality, and some database management systems (such as MySQL) rely exclusively on the client-server model for database access (while others e.g. SQLite are meant for using as an embedded database). For clarification, a database server is simply a server that maintains services related to clients via database applications.",
"rdfs:isDefinedBy": {
"@id": "dbr:Database_server"
},
"rdfs:label": "Database Server",
"rdfs:subClassOf": [
{
"@id": "d3f:Server"
},
{
"@id": "_:N56e74c62c1454192b2801055fc1217c5"
}
],
"skos:altLabel": "Network Database Resource"
},
{
"@id": "_:N56e74c62c1454192b2801055fc1217c5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:DatabaseApplication"
}
},
{
"@id": "d3f:deletes",
"@type": "owl:ObjectProperty",
"d3f:definition": "x deletes y: A technique or agent x wipes out the digitally or magnetically recorded information of digital object y.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/01001860-v"
},
"rdfs:label": "deletes",
"rdfs:subPropertyOf": [
{
"@id": "d3f:evicts"
},
{
"@id": "d3f:modifies"
}
]
},
{
"@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources",
"@type": [
"owl:NamedIndividual",
"d3f:UserManualReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.ibm.com/docs/en/taddm/7.3.0?topic=model-dependencies-between-resources"
},
"d3f:kb-organization": "IBM",
"d3f:kb-reference-of": [
{
"@id": "d3f:DataExchangeMapping"
},
{
"@id": "d3f:ServiceDependencyMapping"
},
{
"@id": "d3f:SystemDependencyMapping"
}
],
"d3f:kb-reference-title": "Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources",
"rdfs:label": "Reference - Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources"
},
{
"@id": "d3f:Session",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.",
"rdfs:isDefinedBy": {
"@id": "dbr:Session_(computer_science)"
},
"rdfs:label": "Session",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/objects/session"
},
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:CWE-155",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-155",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.",
"rdfs:label": "Improper Neutralization of Wildcards or Matching Symbols",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:File",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:FileSection"
},
"d3f:definition": "A file maintained in computer-readable form.",
"d3f:may-contain": [
{
"@id": "d3f:File"
},
{
"@id": "d3f:URL"
}
],
"rdfs:label": "File",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/06521201-n"
},
"rdfs:subClassOf": [
{
"@id": "d3f:Resource"
},
{
"@id": "_:N7c050953e02d428a9ee3f3033200419b"
},
{
"@id": "_:N17db0ece736843d3bb86c4f52bc49a3f"
},
{
"@id": "_:Nda087736477d49f981e9c9dd526dce25"
}
]
},
{
"@id": "_:N7c050953e02d428a9ee3f3033200419b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:FileSection"
}
},
{
"@id": "_:N17db0ece736843d3bb86c4f52bc49a3f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "_:Nda087736477d49f981e9c9dd526dce25",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:URL"
}
},
{
"@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20170324767A1"
},
"d3f:kb-abstract": "Techniques for detecting and/or handling target attacks in an enterprise's email channel are provided. The techniques include receiving aspects of an incoming email message addressed to a first email account holder, selecting a recipient interaction profile and/or a sender profile from a plurality of predetermined profiles stored in a memory based upon the received properties, determining a message trust rating associated with the incoming email message based upon the incoming email message and the selected recipient interaction profile and/or the sender profile; and generating an alert identifying the incoming email message as including a security risk based upon the determined message trust rating. The recipient interaction profile includes information associating the first email account holder and a plurality of email senders from whom email messages have previously been received for the first email account holder, and the sender profile includes information associating a sender of the incoming email message with characteristics determined from a plurality of email messages previously received from the sender.",
"d3f:kb-author": "Manoj Kumar Srivastava",
"d3f:kb-mitre-analysis": "The patent describes using sender trust rating and sender MTA trust rating as an indicator of level of email security risk.\n\n### Sender Reputation explanation\nThis patent includes Sender Reputation because it describes sender trust rating being used as an indicator of the level of security risk and/or trust level associated with an email sender. The sender trust rating may be determined based on one or more of:\n\n* length of time sender has known the enterprise\n* number of recipients in the enterprise the sender interacts with\n* sender vs. enterprise originated message ratio\n* sender messages open vs. not-open ratio\n* number of emails received from this sender\n* number of emails replied for this sender\n* number of emails from this sender not opened\n* number of emails from this sender not opened that contain an attachment\n* number of emails from this sender not opened that contain a URL\n* number of emails sent to this sender\n* number of email replies received from this sender\n\nBased on the trust rating an alert is generated identifying the incoming email message as a security risk.\n\n### Sender MTA Reputation explanation\nThis patent includes Sender MTA Reputation because it describes sender MTA trust rating as an indicator of the level of security risk and/or trust level associated with a sender MTA. The trust rating may be determined based on one or more of:\n\n* length of time MTA has interacted with the enterprise\n* number of sender domains sending emails from the MTA\n* number of recipients in the enterprise the MTA sends emails to\n* number of emails received from this MTA\n* number of email replies received from this MTA\n\nBased on the trust rating an alert is generated identifying the incoming email message as a security risk.",
"d3f:kb-organization": "Graphus Inc",
"d3f:kb-reference-of": [
{
"@id": "d3f:SenderMTAReputationAnalysis"
},
{
"@id": "d3f:SenderReputationAnalysis"
}
],
"d3f:kb-reference-title": "Systems and methods for detecting and/or handling targeted attacks in the email channel",
"rdfs:label": "Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc"
},
{
"@id": "d3f:VideoInputDevice",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Video input devices are used to digitize images or video from the outside world into the computer. The information can be stored in a multitude of formats depending on the user's requirement.",
"rdfs:isDefinedBy": {
"@id": "http://dbpedia.org/resource/Input_device#Video_input_devices"
},
"rdfs:label": "Video Input Device",
"rdfs:subClassOf": {
"@id": "d3f:InputDevice"
}
},
{
"@id": "d3f:Client-serverPayloadProfiling",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:Client-serverPayloadProfiling"
],
"d3f:analyzes": {
"@id": "d3f:NetworkTraffic"
},
"d3f:d3fend-id": "D3-CSPP",
"d3f:definition": "Comparing client-server request and response payloads to a baseline profile to identify outliers.",
"d3f:kb-article": "## How it works\nProfiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation.\n\n\n## Considerations\n* Collecting metrics to establish a profile can be challenging since user behavior can change easily.\n* Employees may work different hours or inconsistent schedules which will cause false positives.\n* Collection of network activity to generate metrics is a computationally intensive process.\n* Users may log into different workstations which may cause false positives.",
"d3f:kb-reference": {
"@id": "d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc"
},
"rdfs:label": "Client-server Payload Profiling",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "_:N05633d7f78a44bd290dc3e337bb39ac6"
}
]
},
{
"@id": "_:N05633d7f78a44bd290dc3e337bb39ac6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "d3f:executes",
"@type": "owl:ObjectProperty",
"d3f:definition": "x executes y: The subject x takes the action of carrying out (executing) y, which is a single software module, function, or instruction.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/02569242-v"
},
"rdfs:label": "executes",
"rdfs:subPropertyOf": [
{
"@id": "d3f:accesses"
},
{
"@id": "d3f:may-execute"
},
{
"@id": "d3f:runs"
}
]
},
{
"@id": "d3f:TrustStore",
"@type": "owl:Class",
"d3f:definition": "Stores public information necessary to determine if another party can be trusted.",
"rdfs:label": "Trust Store",
"rdfs:seeAlso": [
{
"@id": "dbr:Public_key_certificate"
},
{
"@id": "https://www.educative.io/edpresso/keystore-vs-truststore"
}
],
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:OperatingSystemSharedLibraryFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An operating system shared library file is a shared library file that is part of the operating system and that incorporates common operating system code for use by any application or to provide operating system services.",
"rdfs:label": "Operating System Shared Library File",
"rdfs:seeAlso": {
"@id": "http://dbpedia.org/resource/Library_(computing)#Shared_libraries"
},
"rdfs:subClassOf": [
{
"@id": "d3f:OperatingSystemFile"
},
{
"@id": "d3f:SharedLibraryFile"
}
]
},
{
"@id": "d3f:GlobalUserAccount",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A type of user account in Microsoft Windows (NT) that has a domain-wide scope.defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to the domain.",
"rdfs:label": "Global User Account",
"rdfs:seeAlso": {
"@id": "https://networkencyclopedia.com/global-user-account"
},
"rdfs:subClassOf": {
"@id": "d3f:DomainUserAccount"
}
},
{
"@id": "d3f:CWE-307",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-307",
"d3f:definition": "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.",
"rdfs:label": "Improper Restriction of Excessive Authentication Attempts",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1390"
},
{
"@id": "d3f:CWE-799"
}
]
},
{
"@id": "d3f:CWE-477",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-477",
"d3f:definition": "The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.",
"rdfs:label": "Use of Obsolete Function",
"rdfs:subClassOf": {
"@id": "d3f:CWE-710"
}
},
{
"@id": "d3f:CWE-1246",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1246",
"d3f:definition": "The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.",
"rdfs:label": "Improper Write Handling in Limited-write Non-Volatile Memories",
"rdfs:subClassOf": {
"@id": "d3f:CWE-400"
}
},
{
"@id": "d3f:T1565",
"@type": "owl:Class",
"d3f:attack-id": "T1565",
"d3f:definition": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.",
"rdfs:label": "Data Manipulation",
"rdfs:subClassOf": {
"@id": "d3f:ImpactTechnique"
}
},
{
"@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_Cymmetria,Inc.",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20170134423A1"
},
"d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.\n\nIn order to convince the potential attacker that the deception environment is the real (valid) processing environment and/or part thereof, the campaign manager may construct the false identity according to the public information of the certain user that may typically be available to the potential attacker. By exposing the real (public) information of the certain user to the potential attacker, the false identity may seem consistent and legitimate to the potential attacker. For example, the campaign manager may create a false account, for example, a Facebook account of the certain user that includes the same public information that is publicly available to other Facebook users from the real (genuine) Facebook account of the certain user. The fake company account may include information specific to the role and/or job title of certain user within the company, for example, a programmer, an accountant, an IT person and/or the like.",
"d3f:kb-author": "Dean Sysman, Gadi Evron, Imri Goldberg, Itamar Sher, Shmuel Ur",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Cymmetria, Inc.",
"d3f:kb-reference-of": {
"@id": "d3f:DecoyPersona"
},
"d3f:kb-reference-title": "Decoy and deceptive data object technology",
"rdfs:label": "Reference - Decoy and deceptive data object technology - Cymmetria, Inc."
},
{
"@id": "d3f:T1094",
"@type": "owl:Class",
"d3f:attack-id": "T1094",
"d3f:definition": "Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1095",
"rdfs:label": "Custom Command and Control Protocol",
"rdfs:seeAlso": "T1095",
"rdfs:subClassOf": {
"@id": "d3f:CommandAndControlTechnique"
}
},
{
"@id": "d3f:CWE-460",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-460",
"d3f:definition": "The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.",
"rdfs:label": "Improper Cleanup on Thrown Exception",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-459"
},
{
"@id": "d3f:CWE-755"
}
]
},
{
"@id": "d3f:T1027.015",
"@type": "owl:Class",
"d3f:attack-id": "T1027.015",
"d3f:definition": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)",
"rdfs:label": "Compression",
"rdfs:subClassOf": {
"@id": "d3f:T1027"
}
},
{
"@id": "d3f:Subroutine",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In different programming languages, a subroutine may be called a procedure, a function, a routine, a method, or a subprogram. The generic term callable unit is sometimes used.",
"d3f:synonym": [
"Method",
"Semantic Subroutine",
"Software Function"
],
"rdfs:label": "Subroutine",
"rdfs:seeAlso": {
"@id": "dbr:Subroutine"
},
"rdfs:subClassOf": {
"@id": "d3f:Software"
}
},
{
"@id": "d3f:CWE-637",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-637",
"d3f:definition": "The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.",
"d3f:synonym": "Unnecessary Complexity",
"rdfs:label": "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-657"
}
},
{
"@id": "d3f:OTRunCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Commands a device to start or resume a service/program.",
"d3f:modifies": {
"@id": "d3f:OperatingMode"
},
"rdfs:comment": [
"BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
"GE-SRTP: SET PLC (RUN VS STOP)"
],
"rdfs:label": "OT Run Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceOperatingModeCommand"
},
{
"@id": "_:N265832582a2345ca87cdba50f16048fd"
}
]
},
{
"@id": "_:N265832582a2345ca87cdba50f16048fd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingMode"
}
},
{
"@id": "d3f:FirmwareEmbeddedMonitoringCode",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FirmwareEmbeddedMonitoringCode"
],
"d3f:analyzes": {
"@id": "d3f:Firmware"
},
"d3f:d3fend-id": "D3-FEMC",
"d3f:definition": "Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.",
"d3f:kb-article": "## How it works\nFirmware in deployed network devices is typically not monitored for malicious changes. This technique provides a method to embed a software security component into the deployed firmware which provides a near real-time monitoring hook. The exception handling code, in the firmware, is typically used to expose any detected vulnerabilities.\n\nThe injected software components provide a feature similar to intrusion detection systems for the firmware by detecting unauthorized modifications of the embedded firmware. The integrity of static code and firmware data are monitored continuously in the hosted devices. Comparisons are made to monitored elements like firmware memory addresses and data segments. Memory pages are scanned and if a modification is detected the software component may lock the page. This will protect subsequent attempted modifications to the firmware. The software component may utilize the exception handling code and thus be able to disclose the exact address of the modified memory.\n\nThe injected software components are inserted during the firmware imaging process. The injected software is assumed to have knowledge of both the embedded code and the current execution state of the host program. The injected software will monitor and alert, in near real-time, on potential suspicious activity. The injected code is run alongside of the embedded code in the host. The injected software operates as an independent entity and is not dependent on the host software.\n\nFinally, this technique may implement other countermeasure techniques as part of their analytical processes. These should be identified by referencing other countermeasure techniques directly as necessary.\n\n## Considerations\n* The firmware code will need to be modified and re-hosted on the device.\n* Exposing monitoring hooks to the injected code may introduce additional risk.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeRedBalloon"
},
{
"@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes"
}
],
"rdfs:label": "Firmware Embedded Monitoring Code",
"rdfs:subClassOf": [
{
"@id": "d3f:PlatformMonitoring"
},
{
"@id": "_:N92b3ce6402774e5482daeac13659cd6b"
}
]
},
{
"@id": "_:N92b3ce6402774e5482daeac13659cd6b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:Firmware"
}
},
{
"@id": "d3f:T1585",
"@type": "owl:Class",
"d3f:attack-id": "T1585",
"d3f:definition": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)",
"rdfs:label": "Establish Accounts",
"rdfs:subClassOf": {
"@id": "d3f:ResourceDevelopmentTechnique"
}
},
{
"@id": "d3f:T1086",
"@type": "owl:Class",
"d3f:attack-id": "T1086",
"d3f:definition": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1059.001",
"rdfs:label": "PowerShell",
"rdfs:seeAlso": "T1059.001",
"rdfs:subClassOf": {
"@id": "d3f:ExecutionTechnique"
}
},
{
"@id": "d3f:SoftwareLibraryFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:Subroutine"
},
"d3f:definition": "A software library is a collection of software components that are used to build a software product.",
"d3f:may-contain": [
{
"@id": "d3f:ExecutableBinary"
},
{
"@id": "d3f:ExecutableScript"
}
],
"rdfs:label": "Software Library File",
"rdfs:seeAlso": {
"@id": "https://dbpedia.org/page/Library_(computing)"
},
"rdfs:subClassOf": [
{
"@id": "d3f:File"
},
{
"@id": "_:N72fb519e5b4b45f6a5a4da1e8f541835"
},
{
"@id": "_:N0eb70d0f2dd2489a9aec6a14cf0034da"
},
{
"@id": "_:N8fe1fa8a364d4b9b838cddb2ddb56a10"
}
]
},
{
"@id": "_:N72fb519e5b4b45f6a5a4da1e8f541835",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:Subroutine"
}
},
{
"@id": "_:N0eb70d0f2dd2489a9aec6a14cf0034da",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableBinary"
}
},
{
"@id": "_:N8fe1fa8a364d4b9b838cddb2ddb56a10",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableScript"
}
},
{
"@id": "d3f:WindowsCreateThread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Creates a thread to execute within the virtual address space of the calling process.",
"d3f:invokes": [
{
"@id": "d3f:WindowsNtCreateThread"
},
{
"@id": "d3f:WindowsNtCreateThreadEx"
}
],
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread"
},
"rdfs:label": "Windows CreateThread",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPICreateThread"
},
{
"@id": "_:Nde49fb9cba374c17958e01cdc3a51403"
},
{
"@id": "_:N1f39dcc9fa614a10aa9fc8d61d23c663"
}
]
},
{
"@id": "_:Nde49fb9cba374c17958e01cdc3a51403",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtCreateThread"
}
},
{
"@id": "_:N1f39dcc9fa614a10aa9fc8d61d23c663",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtCreateThreadEx"
}
},
{
"@id": "d3f:ContainerRuntime",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A software layer between a container process and a kernel which often mediates the invocation of a system call.",
"d3f:runs": {
"@id": "d3f:ContainerImage"
},
"rdfs:label": "Container Runtime",
"rdfs:seeAlso": [
{
"@id": "d3f:ContainerProcess"
},
{
"@id": "d3f:Kernel"
},
{
"@id": "d3f:SystemCall"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:ServiceApplication"
},
{
"@id": "_:N1682db300a9c4d00a12f11a11ab40e16"
}
]
},
{
"@id": "_:N1682db300a9c4d00a12f11a11ab40e16",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:runs"
},
"owl:someValuesFrom": {
"@id": "d3f:ContainerImage"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_11",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:control-name": "Information Flow Enforcement | Configuration of Security or Privacy Policy Filters",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-4(11)"
},
{
"@id": "d3f:T1651",
"@type": "owl:Class",
"d3f:attack-id": "T1651",
"d3f:definition": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)",
"rdfs:label": "Cloud Administration Command",
"rdfs:subClassOf": {
"@id": "d3f:ExecutionTechnique"
}
},
{
"@id": "d3f:EmailAttachment",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attached-to": {
"@id": "d3f:Email"
},
"d3f:definition": "An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images.",
"rdfs:isDefinedBy": {
"@id": "dbr:Email_attachment"
},
"rdfs:label": "Email Attachment",
"rdfs:subClassOf": [
{
"@id": "d3f:DocumentFile"
},
{
"@id": "_:N0c4f815d489946259e3d424a4e3a0245"
}
]
},
{
"@id": "_:N0c4f815d489946259e3d424a4e3a0245",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:attached-to"
},
"owl:someValuesFrom": {
"@id": "d3f:Email"
}
},
{
"@id": "d3f:may-execute",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may execute y: The subject x might take the action of carrying out (executing) y, which is a single software module, function, or instruction.",
"rdfs:label": "may-execute",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:ThreadStartFunction",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A function which invokes a create thread system call.",
"d3f:executes": {
"@id": "d3f:Thread"
},
"rdfs:label": "Thread Start Function",
"rdfs:subClassOf": [
{
"@id": "d3f:Subroutine"
},
{
"@id": "_:N79c3aa8abb6741a18b3f4294bbe0a519"
}
]
},
{
"@id": "_:N79c3aa8abb6741a18b3f4294bbe0a519",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:executes"
},
"owl:someValuesFrom": {
"@id": "d3f:Thread"
}
},
{
"@id": "d3f:CWE-291",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-291",
"d3f:definition": "The product uses an IP address for authentication.",
"rdfs:label": "Reliance on IP Address for Authentication",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-290"
},
{
"@id": "d3f:CWE-471"
},
{
"@id": "d3f:CWE-923"
}
]
},
{
"@id": "d3f:CWE-269",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-269",
"d3f:definition": "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.",
"rdfs:label": "Improper Privilege Management",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:T1176.001",
"@type": "owl:Class",
"d3f:attack-id": "T1176.001",
"d3f:definition": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)",
"rdfs:label": "Browser Extensions",
"rdfs:subClassOf": {
"@id": "d3f:T1176"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-10_6",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Developer Configuration Management | Trusted Distribution",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:related": [
{
"@id": "d3f:FirmwareVerification"
},
{
"@id": "d3f:PlatformHardening"
}
],
"rdfs:label": "SA-10(6)"
},
{
"@id": "d3f:T1546.016",
"@type": "owl:Class",
"d3f:attack-id": "T1546.016",
"d3f:definition": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)",
"rdfs:label": "Installer Packages",
"rdfs:subClassOf": {
"@id": "d3f:T1546"
}
},
{
"@id": "d3f:Reference-ApparatusForToProvideContentToAndQueryAReverseDomainNameSystemServer",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20100174829A1/en?oq=20100174829"
},
"d3f:kb-abstract": "An apparatus is disclosed for to provide content to and query a reverse domain name system (DNS) server without depending on the kindness of domain name system registrars, registrants. DNS replies are observed by firewalls or filters, analyzed, and transmitted to a reverse domain name system server. An embodiment of the present invention can be within a DNS server or SMTP server.",
"d3f:kb-author": "Dean Danko",
"d3f:kb-mitre-analysis": "This patent includes the description of a method of blocking email traffic from untrusted domains by analyzing the TCP/IP source IP addresses and blocking traffic for IPs whose reverse lookup response FQDN matches a denylist.",
"d3f:kb-reference-title": "Apparatus for to provide content to and query a reverse domain name system server",
"rdfs:label": "Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networks"
},
{
"@id": "d3f:CWE-757",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-757",
"d3f:definition": "A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.",
"rdfs:label": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-693"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Access Enforcement",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:ExecutableAllowlisting"
},
{
"@id": "d3f:ExecutableDenylisting"
}
],
"rdfs:label": "AC-3"
},
{
"@id": "d3f:Reference-FileAndFolderPermissions",
"@type": [
"owl:NamedIndividual",
"d3f:UserManualReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727008(v=technet.10)?redirectedfrom=MSDN"
},
"d3f:kb-organization": "Microsoft",
"d3f:kb-reference-of": {
"@id": "d3f:LocalFilePermissions"
},
"d3f:kb-reference-title": "File and Folder Permissions",
"rdfs:label": "Reference - File and Folder Permissions"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_13",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Account Management | Disable Accounts for High-risk Individuals",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:AccountLocking"
},
"rdfs:label": "AC-2(13)"
},
{
"@id": "d3f:CCI-000025_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-14T00:00:00"
},
"rdfs:label": "CCI-000025"
},
{
"@id": "d3f:CCI-002394_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:SystemConfigurationPermissions"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002394"
},
{
"@id": "d3f:PhysicalAccessMediation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:PhysicalAccessMediation"
],
"d3f:d3fend-id": "D3-PAM",
"d3f:definition": "Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)",
"d3f:isolates": {
"@id": "d3f:PhysicalArtifact"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-CNNSI-4009"
},
"d3f:synonym": "Physical Access Control",
"rdfs:label": "Physical Access Mediation",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessMediation"
},
{
"@id": "_:N16a2b6ddc0f74000bc22082418634ef8"
}
]
},
{
"@id": "_:N16a2b6ddc0f74000bc22082418634ef8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:PhysicalArtifact"
}
},
{
"@id": "d3f:T1673",
"@type": "owl:Class",
"d3f:attack-id": "T1673",
"d3f:definition": "An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.",
"rdfs:label": "Virtual Machine Discovery",
"rdfs:subClassOf": {
"@id": "d3f:DiscoveryTechnique"
}
},
{
"@id": "d3f:T1535",
"@type": "owl:Class",
"d3f:attack-id": "T1535",
"d3f:definition": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.",
"rdfs:label": "Unused/Unsupported Cloud Regions",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:T1037.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1037.004",
"d3f:definition": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.",
"d3f:modifies": {
"@id": "d3f:SystemInitScript"
},
"rdfs:label": "RC Scripts",
"rdfs:subClassOf": [
{
"@id": "d3f:T1037"
},
{
"@id": "_:N6f5f790b7a2c40b7b37fd8b0af03f7a2"
}
]
},
{
"@id": "_:N6f5f790b7a2c40b7b37fd8b0af03f7a2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemInitScript"
}
},
{
"@id": "d3f:PrimaryStorage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": [
{
"@id": "d3f:PageFrame"
},
{
"@id": "d3f:ProcessSegment"
}
],
"d3f:definition": "Primary memory of a computer is memory that is wired directly to the processor, consisting of RAM and possibly ROM. These terms are used in contrast to mass storage devices and cache memory (although we may note that when a program accesses main memory, it is often actually interacting with a cache).",
"rdfs:isDefinedBy": {
"@id": "https://www.memorymanagement.org/glossary/m.html#term-main-memory"
},
"rdfs:label": "Primary Storage",
"rdfs:seeAlso": {
"@id": "https://en.wikipedia.org/wiki/Computer_data_storage#Primary_storage"
},
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDevice"
},
{
"@id": "d3f:Storage"
},
{
"@id": "_:Nc1adcbe7a4744c69874150bf27d70e3f"
},
{
"@id": "_:Nd16527b295d640a5ac05d6a61ad40aa1"
}
]
},
{
"@id": "_:Nc1adcbe7a4744c69874150bf27d70e3f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:PageFrame"
}
},
{
"@id": "_:Nd16527b295d640a5ac05d6a61ad40aa1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessSegment"
}
},
{
"@id": "d3f:M1027",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:One-timePassword"
},
{
"@id": "d3f:StrongPasswordPolicy"
}
],
"rdfs:label": "Password Policies"
},
{
"@id": "d3f:ServiceDependencyMapping",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ServiceDependencyMapping"
],
"d3f:d3fend-id": "D3-SVCDM",
"d3f:definition": "Service dependency mapping determines the services on which each given service relies.",
"d3f:kb-article": "## How it works\nThe organization collects and models architectural information about the services and consumers of services and maps the dependencies between the services.\n\n## Considerations\n* Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.\n* Service dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.\n* Service dependencies in cloud or microservice architectures may be discovered using distributed tracing capabilities",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CatiaUAFPlugin"
},
{
"@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources"
},
{
"@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
}
],
"d3f:maps": {
"@id": "d3f:ServiceDependency"
},
"d3f:synonym": "Distributed Tracing",
"rdfs:label": "Service Dependency Mapping",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemMapping"
},
{
"@id": "_:N5382edd8e4594274afc77d90ede400cc"
}
]
},
{
"@id": "_:N5382edd8e4594274afc77d90ede400cc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:maps"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceDependency"
}
},
{
"@id": "d3f:Reference-Tripwire",
"@type": [
"owl:NamedIndividual",
"d3f:UserManualReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://linux.die.net/man/8/tripwire"
},
"d3f:kb-reference-of": {
"@id": "d3f:FileIntegrityMonitoring"
},
"d3f:kb-reference-title": "Reference - Tripwire",
"rdfs:label": "Reference - Tripwire"
},
{
"@id": "d3f:HardeningEvent",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An event involving actions to strengthen defenses, such as applying patches or implementing secure configurations, reducing attack surfaces, and increasing the difficulty of exploitation by adversaries.",
"d3f:related": {
"@id": "d3f:Harden"
},
"rdfs:label": "Hardening Event",
"rdfs:subClassOf": {
"@id": "d3f:SecurityEvent"
}
},
{
"@id": "d3f:CWE-439",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-439",
"d3f:definition": "A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.",
"d3f:synonym": "Functional change",
"rdfs:label": "Behavioral Change in New Version or Environment",
"rdfs:subClassOf": {
"@id": "d3f:CWE-435"
}
},
{
"@id": "d3f:T1491",
"@type": "owl:Class",
"d3f:attack-id": "T1491",
"d3f:definition": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.",
"rdfs:label": "Defacement",
"rdfs:subClassOf": {
"@id": "d3f:ImpactTechnique"
}
},
{
"@id": "d3f:Semi-supervisedPre-training",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSPT",
"d3f:definition": "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data",
"d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
"rdfs:label": "Semi-supervised Pre-training",
"rdfs:subClassOf": {
"@id": "d3f:UnsupervisedPreprocessing"
}
},
{
"@id": "d3f:T1017",
"@type": "owl:Class",
"d3f:attack-id": "T1017",
"d3f:definition": "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1072",
"rdfs:label": "Application Deployment Software",
"rdfs:seeAlso": "T1072",
"rdfs:subClassOf": {
"@id": "d3f:LateralMovementTechnique"
}
},
{
"@id": "d3f:IntranetAdministrativeNetworkTraffic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Intranet administrative network traffic is administrative network traffic that does not cross a given network's boundaries and uses a standard administrative protocol.",
"rdfs:label": "Intranet Administrative Network Traffic",
"rdfs:seeAlso": {
"@id": "dbr:Intranet"
},
"rdfs:subClassOf": [
{
"@id": "d3f:AdministrativeNetworkTraffic"
},
{
"@id": "d3f:IntranetNetworkTraffic"
}
]
},
{
"@id": "d3f:StartupDirectory",
"@type": "owl:Class",
"d3f:definition": "A startup directory is a directory containing executable files or links to executable files which are run when a user logs in or when a system component or service is started.",
"rdfs:label": "Startup Directory",
"rdfs:subClassOf": [
{
"@id": "d3f:Directory"
},
{
"@id": "d3f:LocalResource"
}
]
},
{
"@id": "d3f:may-transfer",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may-transfer y: They entity x might send the thing y; that is, 'x transfers y' may be true.",
"rdfs:label": "may-transfer",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:CWE-377",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-377",
"d3f:definition": "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
"rdfs:label": "Insecure Temporary File",
"rdfs:subClassOf": {
"@id": "d3f:CWE-668"
}
},
{
"@id": "d3f:T1562.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1562.004",
"d3f:definition": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.",
"d3f:modifies": {
"@id": "d3f:SystemFirewallConfiguration"
},
"rdfs:label": "Disable or Modify System Firewall",
"rdfs:subClassOf": [
{
"@id": "d3f:T1562"
},
{
"@id": "_:Nacdd7bbe70ff4eccb3d71c00e9c7ef5a"
}
]
},
{
"@id": "_:Nacdd7bbe70ff4eccb3d71c00e9c7ef5a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemFirewallConfiguration"
}
},
{
"@id": "d3f:CWE-1427",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1427",
"d3f:definition": "The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.",
"d3f:synonym": "prompt injection",
"rdfs:label": "Improper Neutralization of Input Used for LLM Prompting",
"rdfs:subClassOf": {
"@id": "d3f:CWE-77"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_15",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Information Flow Enforcement | Detection of Unsanctioned Information",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"rdfs:label": "AC-4(15)"
},
{
"@id": "d3f:CWE-571",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-571",
"d3f:definition": "The product contains an expression that will always evaluate to true.",
"rdfs:label": "Expression is Always True",
"rdfs:subClassOf": {
"@id": "d3f:CWE-710"
}
},
{
"@id": "d3f:Step",
"@type": "owl:Class",
"rdfs:label": "Step",
"rdfs:subClassOf": [
{
"@id": "d3f:Plan"
},
{
"@id": "_:Nf9f32e85b71246acaa14ade65ba92f0c"
},
{
"@id": "_:N541964ddbf4f4a98b43e0a57157a25fc"
},
{
"@id": "_:Na0c167a7ad91435f8490fcc09028d80c"
},
{
"@id": "_:N998abfbe11ab48f3b781845bd7376c2a"
}
]
},
{
"@id": "_:Nf9f32e85b71246acaa14ade65ba92f0c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:end"
},
"owl:someValuesFrom": {
"@id": "d3f:Step"
}
},
{
"@id": "_:N541964ddbf4f4a98b43e0a57157a25fc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:fork"
},
"owl:someValuesFrom": {
"@id": "d3f:Step"
}
},
{
"@id": "_:Na0c167a7ad91435f8490fcc09028d80c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-be-associated-with"
},
"owl:someValuesFrom": {
"@id": "d3f:Artifact"
}
},
{
"@id": "_:N998abfbe11ab48f3b781845bd7376c2a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:next"
},
"owl:someValuesFrom": {
"@id": "d3f:Step"
}
},
{
"@id": "d3f:Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/"
},
"d3f:kb-abstract": "Red Hat Enterprise Linux 8 Security Guidelines",
"d3f:kb-reference-of": {
"@id": "d3f:ApplicationConfigurationHardening"
},
"d3f:kb-reference-title": "Red Hat Enterprise Linux 8 Security Technical Implementation Guide",
"rdfs:label": "Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guide"
},
{
"@id": "d3f:LinuxSocket",
"@type": "owl:Class",
"d3f:definition": "Create an endpoint for communication.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/socket.2.html"
},
"rdfs:label": "Linux Socket",
"rdfs:subClassOf": {
"@id": "d3f:OSAPICreateSocket"
}
},
{
"@id": "d3f:LinuxPtraceArgumentPTRACE_DETACH",
"@type": "owl:Class",
"d3f:definition": "Restart the stopped tracee as for PTRACE_CONT, but first detach from it.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
},
"rdfs:label": "Linux Ptrace Argument PTRACE_DETACH",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIResumeProcess"
}
},
{
"@id": "d3f:LocalAreaNetworkAttacker",
"@type": "owl:Class",
"d3f:definition": "An attacker who exploits vulnerabilities within the same local area network.",
"d3f:synonym": "LAN Attacker",
"rdfs:label": "Local Area Network Attacker",
"rdfs:subClassOf": [
{
"@id": "d3f:LocalAttacker"
},
{
"@id": "_:Ne5c30c0d9aa545be82edf5009eff512e"
}
]
},
{
"@id": "_:Ne5c30c0d9aa545be82edf5009eff512e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:LocalAreaNetwork"
}
},
{
"@id": "d3f:CWE-344",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-344",
"d3f:definition": "The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.",
"rdfs:label": "Use of Invariant Value in Dynamically Changing Context",
"rdfs:subClassOf": {
"@id": "d3f:CWE-330"
}
},
{
"@id": "d3f:CCI-000386_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications.",
"d3f:exactly": {
"@id": "d3f:ExecutableDenylisting"
},
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-18T00:00:00"
},
"rdfs:label": "CCI-000386"
},
{
"@id": "d3f:T1158",
"@type": "owl:Class",
"d3f:attack-id": "T1158",
"d3f:definition": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1564.001",
"rdfs:label": "Hidden Files and Directories",
"rdfs:seeAlso": "T1564.001",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:PersistenceTechnique"
}
]
},
{
"@id": "d3f:mediates-access-to",
"@type": "owl:ObjectProperty",
"d3f:definition": "x mediates-access-to y: The entity x controls and brokers requests to reach entity y, enforcing the access rules that allow or deny it.",
"rdfs:label": "mediates-access-to",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:T1570",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1570",
"d3f:definition": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.",
"d3f:produces": {
"@id": "d3f:IntranetFileTransferTraffic"
},
"rdfs:label": "Lateral Tool Transfer",
"rdfs:subClassOf": [
{
"@id": "d3f:LateralMovementTechnique"
},
{
"@id": "_:N8e5f058b65864c1cab9f61b61d8c3560"
}
]
},
{
"@id": "_:N8e5f058b65864c1cab9f61b61d8c3560",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:IntranetFileTransferTraffic"
}
},
{
"@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1",
"@type": [
"owl:NamedIndividual",
"d3f:SpecificationReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://tools.ietf.org/html/rfc3851"
},
"d3f:kb-organization": "Internet Engineering Task Force (IETF)",
"d3f:kb-reference-title": "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification",
"rdfs:label": "Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1"
},
{
"@id": "d3f:CommandHistoryLogFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:CommandHistoryLog"
},
"d3f:definition": "A command history log file is a file containing a command history, which the history of commands run in an operating system shell.",
"rdfs:label": "Command History Log File",
"rdfs:seeAlso": {
"@id": "dbr:Command_history"
},
"rdfs:subClassOf": [
{
"@id": "d3f:LogFile"
},
{
"@id": "_:Nd9362313694d432bada698f28ec95f35"
}
]
},
{
"@id": "_:Nd9362313694d432bada698f28ec95f35",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:CommandHistoryLog"
}
},
{
"@id": "d3f:enumerates",
"@type": "owl:ObjectProperty",
"d3f:definition": "x enumerates y: The subject x takes the action of reading from a digital source y to acquire data and create a list of its contents.",
"rdfs:label": "enumerates",
"rdfs:subPropertyOf": {
"@id": "d3f:reads"
}
},
{
"@id": "d3f:LinuxKillArgumentSIGKILL",
"@type": "owl:Class",
"d3f:definition": "Send SIGKILL signal to a process.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/kill.2.html"
},
"rdfs:label": "Linux Kill Argument SIGKILL",
"rdfs:subClassOf": {
"@id": "d3f:OSAPITerminateProcess"
}
},
{
"@id": "d3f:T1059.006",
"@type": "owl:Class",
"d3f:attack-id": "T1059.006",
"d3f:definition": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)",
"rdfs:label": "Python",
"rdfs:subClassOf": {
"@id": "d3f:T1059"
}
},
{
"@id": "d3f:IdentifierAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IdentifierAnalysis"
],
"d3f:d3fend-id": "D3-ID",
"d3f:definition": "Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.",
"d3f:enables": {
"@id": "d3f:Detect"
},
"rdfs:label": "Identifier Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:N72eb34c2ba664d6b9c67513f87b5b841"
}
]
},
{
"@id": "_:N72eb34c2ba664d6b9c67513f87b5b841",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Detect"
}
},
{
"@id": "d3f:MemoryModificationEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a process modifies allocated memory, potentially altering its content, behavior, or state.",
"rdfs:label": "Memory Modification Event",
"rdfs:subClassOf": [
{
"@id": "d3f:MemoryEvent"
},
{
"@id": "_:Nd682ccb89c684a8aac435dbb434e69a7"
}
]
},
{
"@id": "_:Nd682ccb89c684a8aac435dbb434e69a7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryAllocationEvent"
}
},
{
"@id": "d3f:ChangeDefaultPassword",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ChangeDefaultPassword"
],
"d3f:d3fend-id": "D3-CFP",
"d3f:definition": "Changing the default password means replacing the factory-set credentials with a strong, unique password before the device is deployed, preventing unauthorized access.",
"d3f:hardens": {
"@id": "d3f:OTController"
},
"d3f:kb-article": "## How it works\nChange the default password as soon as a new device is received. The default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means.\n\n## Considerations\n* These should be changed before a device is brought online so that an adversary cannot take advantage of these default credentials.\n* Strong and complex passwords are preferred if the technology allows.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CPGChecklist"
},
{
"@id": "d3f:Reference-GuidetoOTSecurity"
},
{
"@id": "d3f:Reference-MITREATTACKPasswordPolicies"
}
],
"d3f:strengthens": [
{
"@id": "d3f:Password"
},
{
"@id": "d3f:UserAccount"
}
],
"rdfs:label": "Change Default Password",
"rdfs:subClassOf": [
{
"@id": "d3f:StrongPasswordPolicy"
},
{
"@id": "_:Nd63a876679e148de888201d1a51ffcad"
},
{
"@id": "_:N8e30efa4f6a94e9ba275cc45ff8aa6d3"
},
{
"@id": "_:N1ee20608c55b4232bc1505a34c92f22d"
}
]
},
{
"@id": "_:Nd63a876679e148de888201d1a51ffcad",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:hardens"
},
"owl:someValuesFrom": {
"@id": "d3f:OTController"
}
},
{
"@id": "_:N8e30efa4f6a94e9ba275cc45ff8aa6d3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:strengthens"
},
"owl:someValuesFrom": {
"@id": "d3f:Password"
}
},
{
"@id": "_:N1ee20608c55b4232bc1505a34c92f22d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:strengthens"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:BinarySegment",
"@type": "owl:Class",
"d3f:definition": "A binary segment is a partition of binary information within a larger binary object, which arranges a set of binary objects for its purpose. For example, code, data, heap, and stack segments are segments of the binary information used by a process. Code and data segments are also found in object files.",
"rdfs:label": "Binary Segment",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:T1036.011",
"@type": "owl:Class",
"d3f:attack-id": "T1036.011",
"d3f:definition": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc//cmdline` file reflects the contents of this memory, and tools like `ps` use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.",
"rdfs:label": "Overwrite Process Arguments",
"rdfs:subClassOf": {
"@id": "d3f:T1036"
}
},
{
"@id": "d3f:T1505.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:adds": {
"@id": "d3f:WebScriptFile"
},
"d3f:attack-id": "T1505.003",
"d3f:definition": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)",
"d3f:modifies": {
"@id": "d3f:WebServer"
},
"d3f:produces": {
"@id": "d3f:Process"
},
"rdfs:label": "Web Shell",
"rdfs:subClassOf": [
{
"@id": "d3f:T1505"
},
{
"@id": "_:N90b5562ee37a427689c1fa753d59b8eb"
},
{
"@id": "_:N6471721a2d094612a0699345be11d76a"
},
{
"@id": "_:Nbf4ccc0692674921b11b0dd663dcc276"
}
]
},
{
"@id": "_:N90b5562ee37a427689c1fa753d59b8eb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:adds"
},
"owl:someValuesFrom": {
"@id": "d3f:WebScriptFile"
}
},
{
"@id": "_:N6471721a2d094612a0699345be11d76a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:WebServer"
}
},
{
"@id": "_:Nbf4ccc0692674921b11b0dd663dcc276",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:SecondaryStorage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Secondary memory (storage, hard disk) is the computer component holding information that does not need to be accessed quickly and that needs to be retained long-term.",
"rdfs:isDefinedBy": {
"@id": "https://whatis.techtarget.com/definition/memory"
},
"rdfs:label": "Secondary Storage",
"rdfs:seeAlso": {
"@id": "https://en.wikipedia.org/wiki/Computer_data_storage#Secondary_storage"
},
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDevice"
},
{
"@id": "d3f:Storage"
}
]
},
{
"@id": "d3f:T1562.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1562.002",
"d3f:definition": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.",
"d3f:may-modify": [
{
"@id": "d3f:ApplicationConfiguration"
},
{
"@id": "d3f:OperatingSystemConfigurationComponent"
}
],
"rdfs:label": "Disable Windows Event Logging",
"rdfs:subClassOf": [
{
"@id": "d3f:T1562"
},
{
"@id": "_:Naff41dd0e2134ccfa0919a9ca69b4c1c"
},
{
"@id": "_:Nc4aacd662ba44ccba38330316d96c3b7"
}
]
},
{
"@id": "_:Naff41dd0e2134ccfa0919a9ca69b4c1c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:ApplicationConfiguration"
}
},
{
"@id": "_:Nc4aacd662ba44ccba38330316d96c3b7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemConfigurationComponent"
}
},
{
"@id": "d3f:OSAPIResumeProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that resumes the execution of a paused, stopped, or suspended process.",
"d3f:invokes": {
"@id": "d3f:ResumeProcess"
},
"rdfs:label": "OS API Resume Process",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:N6014bc14a9604f9588f35832fc2a61be"
}
]
},
{
"@id": "_:N6014bc14a9604f9588f35832fc2a61be",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:ResumeProcess"
}
},
{
"@id": "d3f:CWE-913",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-913",
"d3f:definition": "The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.",
"rdfs:label": "Improper Control of Dynamically-Managed Code Resources",
"rdfs:subClassOf": {
"@id": "d3f:CWE-664"
}
},
{
"@id": "d3f:CCI-001426_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-25T00:00:00"
},
"rdfs:label": "CCI-001426"
},
{
"@id": "d3f:CCI-000066_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:RemoteTerminalSessionDetection"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization enforces requirements for remote connections to the information system.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-14T00:00:00"
},
"rdfs:label": "CCI-000066"
},
{
"@id": "d3f:T1548",
"@type": "owl:Class",
"d3f:attack-id": "T1548",
"d3f:definition": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)",
"rdfs:label": "Abuse Elevation Control Mechanism",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:depends-on",
"@type": "owl:ObjectProperty",
"d3f:definition": "x depends-on y: The entity x is contingent on y being available; x relies on y.",
"owl:inverseOf": {
"@id": "d3f:has-dependent"
},
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00729216-a"
},
"rdfs:label": "depends-on",
"rdfs:seeAlso": {
"@id": "https://www.cisa.gov/what-are-dependencies"
},
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:HardwareDriver",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In computing, a device driver (commonly referred to simply as a driver) is a computer program that operates or controls a particular type of device that is attached to a computer. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details of the hardware being used. A driver communicates with the device through the computer bus or communications subsystem to which the hardware connects. When a calling program invokes a routine in the driver, the driver issues commands to the device. Once the device sends data back to the driver, the driver may invoke routines in the original calling program. Drivers are hardware dependent and operating-system-specific. They usually provide the interrupt handling required for any necessary asynchronous time-dependent hardware interface.",
"d3f:drives": {
"@id": "d3f:HardwareDevice"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Device_driver"
},
"rdfs:label": "Hardware Driver",
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N7fa0ae4e4852474e936aaccc6f717a02"
}
],
"skos:altLabel": "Device Driver"
},
{
"@id": "_:N7fa0ae4e4852474e936aaccc6f717a02",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:drives"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:T1601.001",
"@type": "owl:Class",
"d3f:attack-id": "T1601.001",
"d3f:definition": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.",
"rdfs:label": "Patch System Image",
"rdfs:subClassOf": {
"@id": "d3f:T1601"
}
},
{
"@id": "d3f:CCI-001372_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001372"
},
{
"@id": "d3f:CWE-578",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-578",
"d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.",
"rdfs:label": "EJB Bad Practices: Use of Class Loader",
"rdfs:subClassOf": {
"@id": "d3f:CWE-573"
}
},
{
"@id": "d3f:CWE-586",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-586",
"d3f:definition": "The product makes an explicit call to the finalize() method from outside the finalizer.",
"rdfs:label": "Explicit Call to Finalize()",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1076"
}
},
{
"@id": "d3f:T1008",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1008",
"d3f:definition": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
"d3f:produces": {
"@id": "d3f:OutboundInternetNetworkTraffic"
},
"rdfs:label": "Fallback Channels",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:N2849a8f9f0d64449890aacc7302c7f29"
}
]
},
{
"@id": "_:N2849a8f9f0d64449890aacc7302c7f29",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:LinuxDeleteModule",
"@type": "owl:Class",
"d3f:definition": "Attempts to remove the unused loadable module entry identified by name. If the module has an exit function, then that function is executed before unloading the module.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/delete_module.2.html"
},
"rdfs:label": "Linux Delete Module",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIUnloadModule"
}
},
{
"@id": "d3f:may-deceive",
"@type": "owl:ObjectProperty",
"d3f:pref-label": "may deceive",
"rdfs:label": "may-deceive",
"rdfs:subPropertyOf": {
"@id": "d3f:may-counter-attack"
}
},
{
"@id": "d3f:CredentialScrubbing",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:CredentialScrubbing"
],
"d3f:d3fend-id": "D3-CS",
"d3f:definition": "The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access.",
"d3f:hardens": {
"@id": "d3f:Subroutine"
},
"d3f:kb-article": "## How it Works\nCredential Scrubbing involves identifying and eliminating hard-coded credentials such as usernames, passwords, API keys, and tokens from source code repositories. These credentials should be managed securely using environment variables, secret management tools, or secure vaults where they can be safely accessed when needed.\n\n## Considerations\n* Developers should conduct regular audits of source code to ensure credentials are not hard-coded.\n* Exposed credentials found in version control history must be disabled and replaced promptly.\n* Adopt role-based access controls and credential rotation policies to minimize security risks.",
"d3f:kb-reference": {
"@id": "d3f:Reference-SecretsManagementCheatSheet-OWASP"
},
"rdfs:label": "Credential Scrubbing",
"rdfs:seeAlso": [
{
"@id": "d3f:CWE-798"
},
{
"@id": "https://capec.mitre.org/data/definitions/191.html"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SourceCodeHardening"
},
{
"@id": "_:N6db7258d5ace4fceb2cb134fb561ec57"
}
]
},
{
"@id": "_:N6db7258d5ace4fceb2cb134fb561ec57",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:hardens"
},
"owl:someValuesFrom": {
"@id": "d3f:Subroutine"
}
},
{
"@id": "d3f:OTProgramModeCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Command that places the controller in a mode capable of reprogramming logic. This may or may not stop the program.",
"rdfs:label": "OT Program Mode Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
},
{
"@id": "_:N7f8128a40dad4d6992d2f19a18bda00f"
},
{
"@id": "_:Na9bd813d771f4756aa094469224350b5"
}
]
},
{
"@id": "_:N7f8128a40dad4d6992d2f19a18bda00f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTProgramModeCommand"
}
},
{
"@id": "_:Na9bd813d771f4756aa094469224350b5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingMode"
}
},
{
"@id": "d3f:CWE-400",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-400",
"d3f:definition": "The product does not properly control the allocation and maintenance of a limited resource.",
"d3f:synonym": "Resource Exhaustion",
"rdfs:label": "Uncontrolled Resource Consumption",
"rdfs:subClassOf": {
"@id": "d3f:CWE-664"
}
},
{
"@id": "d3f:T1578.001",
"@type": "owl:Class",
"d3f:attack-id": "T1578.001",
"d3f:definition": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.",
"rdfs:label": "Create Snapshot",
"rdfs:subClassOf": {
"@id": "d3f:T1578"
}
},
{
"@id": "d3f:CWE-421",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-421",
"d3f:definition": "The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.",
"rdfs:label": "Race Condition During Access to Alternate Channel",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-362"
},
{
"@id": "d3f:CWE-420"
}
]
},
{
"@id": "d3f:Reference-IdentifyingADenial-of-serviceAttackInACloud-basedProxyService-CloudfareInc.",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US8613089B1"
},
"d3f:kb-abstract": "A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.",
"d3f:kb-author": "Lee Hahn Holloway, Srikanth N. Rao, Matthew Browning Prince, Matthieu Philippe Francois Tourne, Ian Gerald Pye, Ray Raymond Bejjani, Terry Paul Rodery, Jr.",
"d3f:kb-organization": "Cloudfare Inc.",
"d3f:kb-reference-of": {
"@id": "d3f:InboundSessionVolumeAnalysis"
},
"d3f:kb-reference-title": "Identifying a denial-of-service attack in a cloud-based proxy service",
"rdfs:label": "Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc."
},
{
"@id": "d3f:DHCPAckEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a DHCP server sends an ACK message to acknowledge a client's REQUEST, confirming the allocation of an IP address and associated network settings.",
"rdfs:label": "DHCP Ack Event",
"rdfs:subClassOf": [
{
"@id": "d3f:DHCPEvent"
},
{
"@id": "_:N4f41c0e9ccf54cf6b08ac8362191584d"
}
],
"skos:altLabel": "DHCPACK"
},
{
"@id": "_:N4f41c0e9ccf54cf6b08ac8362191584d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:DHCPRequestEvent"
}
},
{
"@id": "d3f:Reference-Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities",
"@type": [
"owl:NamedIndividual",
"d3f:SpecificationReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.dni.gov/files/Governance/IC-Tech-Specs-for-Const-and-Mgmt-of-SCIFs-v15.pdf"
},
"d3f:kb-author": "National Counterintelligence and Security Center",
"d3f:kb-reference-of": {
"@id": "d3f:RFShielding"
},
"d3f:kb-reference-title": "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities",
"rdfs:label": "Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"
},
{
"@id": "d3f:CWE-760",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-760",
"d3f:definition": "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.",
"rdfs:label": "Use of a One-Way Hash with a Predictable Salt",
"rdfs:subClassOf": {
"@id": "d3f:CWE-916"
}
},
{
"@id": "d3f:T1597",
"@type": "owl:Class",
"d3f:attack-id": "T1597",
"d3f:definition": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)",
"rdfs:label": "Search Closed Sources",
"rdfs:subClassOf": {
"@id": "d3f:ReconnaissanceTechnique"
}
},
{
"@id": "d3f:ContentSubstitution",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ContentSubstitution"
],
"d3f:d3fend-id": "D3-CNS",
"d3f:definition": "Modifies specific digital content information by replacing it with something else.",
"d3f:kb-article": "## How it works\n\nIf malicious or unecessary elements is discovered within the content, or if a specific embedded portion does not comply with policy, it may be replaced with alternatives to ensure safety.",
"d3f:kb-reference": {
"@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
},
"rdfs:label": "Content Substitution",
"rdfs:subClassOf": {
"@id": "d3f:ContentModification"
}
},
{
"@id": "d3f:CCI-003014_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces organization-defined mandatory access control policies over all subjects and objects.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-08-30T00:00:00"
},
"rdfs:label": "CCI-003014"
},
{
"@id": "d3f:OTModifyControlProgramCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "OT command that adds, removes, or changes, process data on a remote device.",
"d3f:modifies": {
"@id": "d3f:OTControlProgram"
},
"rdfs:comment": "GE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY",
"rdfs:label": "OT Modify Control Program Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceConfigurationCommand"
},
{
"@id": "_:Ne972f7f219254b1f9527b0acfb1fa930"
}
]
},
{
"@id": "_:Ne972f7f219254b1f9527b0acfb1fa930",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OTControlProgram"
}
},
{
"@id": "d3f:DS0001",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI",
"rdfs:comment": "This data source captures events relating to firmware and therefore has no direct mappings to digital artifacts.",
"rdfs:label": "Firmware (ATT&CK DS)"
},
{
"@id": "d3f:WindowsNtReadFileScatter",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Reads specified block from file into multiple buffers. Each buffer must have one page length.",
"rdfs:label": "Windows NtReadFileScatter",
"rdfs:seeAlso": {
"@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
},
"rdfs:subClassOf": {
"@id": "d3f:OSAPIReadFile"
}
},
{
"@id": "d3f:CWE-261",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-261",
"d3f:definition": "Obscuring a password with a trivial encoding does not protect the password.",
"rdfs:label": "Weak Encoding for Password",
"rdfs:subClassOf": {
"@id": "d3f:CWE-522"
}
},
{
"@id": "d3f:CWE-45",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-45",
"d3f:definition": "The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
"rdfs:label": "Path Equivalence: 'file...name' (Multiple Internal Dot)",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-165"
},
{
"@id": "d3f:CWE-44"
}
]
},
{
"@id": "d3f:ObjectEviction",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ObjectEviction"
],
"d3f:d3fend-id": "D3-OE",
"d3f:definition": "Terminate or remove an object from a host machine. This is the broadest class for object eviction.",
"d3f:enables": {
"@id": "d3f:Evict"
},
"rdfs:label": "Object Eviction",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:Na0e0dbc8b56143359bf0cfe7bc555a64"
}
]
},
{
"@id": "_:Na0e0dbc8b56143359bf0cfe7bc555a64",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Evict"
}
},
{
"@id": "d3f:CWE-627",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-627",
"d3f:definition": "In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.",
"d3f:synonym": "Dynamic evaluation",
"rdfs:label": "Dynamic Variable Evaluation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-914"
}
},
{
"@id": "d3f:Reference-EmbeddingContextsForOn-lineThreatsIntoResponsePolicyZones-VerisignInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US10440059B1"
},
"d3f:kb-abstract": "Hierarchical threat intelligence embedded in subdomain CNAMEs of a DNS denylist.\n\nIn one embodiment, a response policy zone (RPZ) application generates an RPZ that includes contexts for the on-line threats that are associated with domain names. For a domain name that is associated with an on-line threat, the RPZ application determines a threat specification that describes a characteristic of the on-line threat. The RPZ application then generates an alias based on the domain name and the threat specification. Subsequently, the RPZ application generates a domain name system (DNS) resource record that maps the domain name to the alias, includes the resource record in the RPZ, and transmits the RPZ to a DNS name server that implements the RPZ. Upon receiving a DNS query associated with the domain name, the DNS name server generates a DNS response based on the alias. Because the domain name and the threat specification is reflected in the alias, the DNS response automatically provides a relevant context.",
"d3f:kb-author": "Ben McCarty",
"d3f:kb-mitre-analysis": "MITRE Analysis was not found.",
"d3f:kb-reference-of": {
"@id": "d3f:HierarchicalDomainDenylisting"
},
"d3f:kb-reference-title": "Embedding contexts for on-line threats into response policy zones",
"rdfs:label": "Reference - Embedding contexts for on-line threats into response policy zones - Verisign Inc"
},
{
"@id": "d3f:T1593.001",
"@type": "owl:Class",
"d3f:attack-id": "T1593.001",
"d3f:definition": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.",
"rdfs:label": "Social Media",
"rdfs:subClassOf": {
"@id": "d3f:T1593"
}
},
{
"@id": "d3f:CWE-664",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-664",
"d3f:definition": "The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.",
"rdfs:label": "Improper Control of a Resource Through its Lifetime",
"rdfs:subClassOf": {
"@id": "d3f:Weakness"
}
},
{
"@id": "d3f:FullVolumeSnapshot",
"@type": "owl:Class",
"d3f:definition": "A full volume snapshot is a point-in-time copy of the complete contents of a volume.",
"rdfs:label": "Full Volume Snapshot",
"rdfs:seeAlso": {
"@id": "https://aws.amazon.com/compare/the-difference-between-incremental-differential-and-other-backups/"
},
"rdfs:subClassOf": {
"@id": "d3f:VolumeSnapshot"
}
},
{
"@id": "d3f:CWE-103",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-103",
"d3f:definition": "The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().",
"rdfs:label": "Struts: Incomplete validate() Method Definition",
"rdfs:subClassOf": {
"@id": "d3f:CWE-573"
}
},
{
"@id": "d3f:CCI-001233_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:SoftwareUpdate"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001233"
},
{
"@id": "d3f:T1542.005",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1542.005",
"d3f:creates": {
"@id": "d3f:TFTPNetworkTraffic"
},
"d3f:definition": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.",
"rdfs:label": "TFTP Boot",
"rdfs:subClassOf": [
{
"@id": "d3f:T1542"
},
{
"@id": "_:Nb74baeacef6b4a659f21288d39ca98e6"
}
]
},
{
"@id": "_:Nb74baeacef6b4a659f21288d39ca98e6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:TFTPNetworkTraffic"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-11_8",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Developer Testing and Evaluation | Dynamic Code Analysis",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:related": {
"@id": "d3f:ApplicationHardening"
},
"rdfs:label": "SA-11(8)"
},
{
"@id": "d3f:RestoreEmail",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RestoreEmail"
],
"d3f:d3fend-id": "D3-RE",
"d3f:definition": "Restoring an email for an entity to access.",
"d3f:kb-reference": {
"@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
},
"d3f:restores": {
"@id": "d3f:Email"
},
"rdfs:label": "Restore Email",
"rdfs:subClassOf": [
{
"@id": "d3f:RestoreFile"
},
{
"@id": "_:Ndde953a0a94d47c7bc60ab3017a2310b"
}
]
},
{
"@id": "_:Ndde953a0a94d47c7bc60ab3017a2310b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restores"
},
"owl:someValuesFrom": {
"@id": "d3f:Email"
}
},
{
"@id": "d3f:SpearmansRankCorrelationCoefficient",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SRCC",
"d3f:synonym": "Spearman's Rho",
"rdfs:label": "Spearman's Rank Correlation Coefficient",
"rdfs:subClassOf": {
"@id": "d3f:RankCorrelationCoefficient"
}
},
{
"@id": "d3f:ConfigurationDatabase",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:ConfigurationDatabaseRecord"
},
"rdfs:label": "Configuration Database",
"rdfs:subClassOf": [
{
"@id": "d3f:ConfigurationResource"
},
{
"@id": "_:N15b4f623a6304170aa22dc3ad2dd62fb"
}
]
},
{
"@id": "_:N15b4f623a6304170aa22dc3ad2dd62fb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:ConfigurationDatabaseRecord"
}
},
{
"@id": "d3f:SMBFileOpenEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a file is opened if it exists, failing otherwise. This operation is used to access or query the existing file.",
"rdfs:label": "SMB File Open Event",
"rdfs:subClassOf": [
{
"@id": "d3f:SMBEvent"
},
{
"@id": "_:N4d4c120e676f404dac26d8b5bdd68ba2"
}
]
},
{
"@id": "_:N4d4c120e676f404dac26d8b5bdd68ba2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:SMBFileCreateEvent"
}
},
{
"@id": "d3f:NetworkFileResource",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:File"
},
"d3f:definition": "A computer file resource made available from one host to other hosts on a computer network.",
"rdfs:label": "Network File Resource",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkFileShareResource"
},
{
"@id": "_:N4ccc4006706845c4aec554970b24a9c1"
}
]
},
{
"@id": "_:N4ccc4006706845c4aec554970b24a9c1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:CWE-515",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-515",
"d3f:definition": "A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.",
"rdfs:label": "Covert Storage Channel",
"rdfs:subClassOf": {
"@id": "d3f:CWE-514"
}
},
{
"@id": "d3f:T1562",
"@type": "owl:Class",
"d3f:attack-id": "T1562",
"d3f:definition": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.",
"rdfs:label": "Impair Defenses",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:Instance-basedTransferLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-IBTL",
"d3f:definition": "Instance-based transfer learning methods try to reweight the samples in the source domain in an attempt to correct for marginal distribution differences. These reweighted instances are then directly used in the target domain for training.",
"d3f:kb-article": "## References\nGeorgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).",
"rdfs:label": "Instance-based Transfer Learning",
"rdfs:subClassOf": {
"@id": "d3f:HomogenousTransferLearning"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_3",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Least Privilege | Network Access to Privileged Commands",
"d3f:exactly": {
"@id": "d3f:SystemConfigurationPermissions"
},
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-6(3)"
},
{
"@id": "d3f:AMD64CodeSegment",
"@type": [
"owl:NamedIndividual",
"d3f:ImageCodeSegment",
"d3f:ProcessCodeSegment"
],
"rdfs:label": "AMD64 Code Segment"
},
{
"@id": "d3f:T1555.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:MacOSKeychain"
},
"d3f:attack-id": "T1555.001",
"d3f:definition": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.",
"rdfs:label": "Keychain",
"rdfs:subClassOf": [
{
"@id": "d3f:T1555"
},
{
"@id": "_:Nb3433fb675384b0992d2d273e06f0c94"
}
]
},
{
"@id": "_:Nb3433fb675384b0992d2d273e06f0c94",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:MacOSKeychain"
}
},
{
"@id": "d3f:Reference-GuideToStorageEncryptionTechnologiesForEndUserDevices",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf"
},
"d3f:kb-abstract": "Many threats against end user devices could cause information stored on the devices to be accessed by unauthorized parties. To prevent such disclosures of information, particularly of personally identifiable information (PII) and other sensitive data, the information needs to be secured. Securing other components of end user devices, such as operating systems, is also necessary, but in many cases storage security, which is the process of allowing only authorized parties to access and use stored information. The primary security controls for restricting access to sensitive information stored on end user devices are encryption and authentication. Encryption can be applied granularly, such as to an individual file containing sensitive information, or broadly, such as encrypting all stored data. The appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated.",
"d3f:kb-author": "Karen Scarfone, Murugiah Souppaya, and Matt Sexton",
"d3f:kb-reference-of": {
"@id": "d3f:FileEncryption"
},
"d3f:kb-reference-title": "NIST Special Publication 800-111 - Guide to Storage Encryption Technologies for End User Devices",
"rdfs:label": "Reference - Guide to Storage Encryption Technologies for End User Devices"
},
{
"@id": "d3f:Non-ParametricTests",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-NPT",
"d3f:definition": "A non-parametric test relies is used when the underlying distribution of data is non-symmetric (non-normal distribution).",
"d3f:kb-article": "## References\nNewcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/non-parametric-hypothesis-tests.html)",
"rdfs:label": "Non-Parametric Tests",
"rdfs:subClassOf": {
"@id": "d3f:HypothesisTesting"
}
},
{
"@id": "d3f:LogonUser",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:authenticates": {
"@id": "d3f:UserAccount"
},
"rdfs:label": "Logon User",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Nb8124825ad8e438e9c18d2682594589f"
}
]
},
{
"@id": "_:Nb8124825ad8e438e9c18d2682594589f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:authenticates"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:T1205",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1205",
"d3f:definition": "Adversaries use traffic signaling techniques, such as sending specific network sequences or magic packets, to covertly trigger actions like opening ports, activating backdoors, or installing filters, facilitating command and control, persistence, and defense evasion.",
"d3f:produces": {
"@id": "d3f:NetworkTraffic"
},
"rdfs:label": "Traffic Signaling",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "_:N3ca880b8ef634c6e957840b60a6c48d4"
}
]
},
{
"@id": "_:N3ca880b8ef634c6e957840b60a6c48d4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "d3f:T1505.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:adds": {
"@id": "d3f:MessageTransferAgent"
},
"d3f:attack-id": "T1505.002",
"d3f:definition": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.",
"d3f:modifies": {
"@id": "d3f:MailServer"
},
"rdfs:label": "Transport Agent",
"rdfs:subClassOf": [
{
"@id": "d3f:T1505"
},
{
"@id": "_:Nd0a9e35523de4a988a954f44f7d196a2"
},
{
"@id": "_:N156d8aafeb434f029d4ab7333b8f7d3f"
}
]
},
{
"@id": "_:Nd0a9e35523de4a988a954f44f7d196a2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:adds"
},
"owl:someValuesFrom": {
"@id": "d3f:MessageTransferAgent"
}
},
{
"@id": "_:N156d8aafeb434f029d4ab7333b8f7d3f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:MailServer"
}
},
{
"@id": "d3f:CWE-486",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-486",
"d3f:definition": "The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.",
"rdfs:label": "Comparison of Classes by Name",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1025"
}
},
{
"@id": "d3f:T1103",
"@type": "owl:Class",
"d3f:attack-id": "T1103",
"d3f:definition": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1546.010",
"rdfs:label": "AppInit DLLs",
"rdfs:seeAlso": "T1546.010",
"rdfs:subClassOf": [
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:CWE-43",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-43",
"d3f:definition": "The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
"rdfs:label": "Path Equivalence: 'filename....' (Multiple Trailing Dot)",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-163"
},
{
"@id": "d3f:CWE-42"
}
]
},
{
"@id": "d3f:T1596",
"@type": "owl:Class",
"d3f:attack-id": "T1596",
"d3f:definition": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)",
"rdfs:label": "Search Open Technical Databases",
"rdfs:subClassOf": {
"@id": "d3f:ReconnaissanceTechnique"
}
},
{
"@id": "d3f:LANAccessMediation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:LANAccessMediation"
],
"d3f:d3fend-id": "D3-LAMED",
"d3f:definition": "LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network.",
"d3f:isolates": {
"@id": "d3f:LocalAreaNetwork"
},
"d3f:kb-article": "## How it works\n\nLAN Access Mediation is a network security approach that manages and controls access to a Local Area Network by using key components such as Access Control Lists (ACLs) to specify which devices are allowed or denied access, Port Security to restrict device connections to specific switch ports, RADIUS for determining the level of access or specific resources available to users or devices, and 802.1X for enforcing device authentication before granting network access. This comprehensive strategy ensures that only authorized devices and users can connect to the network, enhancing overall security.",
"d3f:kb-reference": {
"@id": "d3f:Reference-WhatIsNetworkAccessControl"
},
"rdfs:comment": "Layer 2 Enforcement",
"rdfs:label": "LAN Access Mediation",
"rdfs:seeAlso": {
"@id": "https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf"
},
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkAccessMediation"
},
{
"@id": "_:N9b213783193c4edb8e5a1972fdf3ab37"
}
]
},
{
"@id": "_:N9b213783193c4edb8e5a1972fdf3ab37",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:LocalAreaNetwork"
}
},
{
"@id": "d3f:CWE-276",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-276",
"d3f:definition": "During installation, installed file permissions are set to allow anyone to modify those files.",
"d3f:weakness-of": {
"@id": "d3f:ApplicationInstaller"
},
"rdfs:label": "Incorrect Default Permissions",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-732"
},
{
"@id": "_:Nb28aa06cbd694ce6930d3df8d23d4b16"
}
]
},
{
"@id": "_:Nb28aa06cbd694ce6930d3df8d23d4b16",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:ApplicationInstaller"
}
},
{
"@id": "d3f:OSAPISuspendProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that pauses the execution of a process.",
"d3f:invokes": {
"@id": "d3f:SuspendProcess"
},
"rdfs:label": "OS API Suspend Process",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:N1d5c86c28d8b49d685f92d33a61941dd"
}
]
},
{
"@id": "_:N1d5c86c28d8b49d685f92d33a61941dd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:SuspendProcess"
}
},
{
"@id": "d3f:OTIOModule",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:communicates-with": [
{
"@id": "d3f:OTActuator"
},
{
"@id": "d3f:OTSensor"
}
],
"d3f:definition": "An OT I/O Module is an industrial-grade interface designed for harsh Operational Technology (OT) environments. It reliably connects sensors and actuators to industrial control systems, ensuring precise, real-time data exchange in applications such as SCADA or ICS. Engineered for ruggedness and consistent performance, it can manage analog, digital, or other specialized signal types while enduring demanding conditions.",
"rdfs:comment": "There are many types of I/O modules, including: analog input, analog output, HART input, HART output, digital input, digital output, mV input, pulse input, universal I/O, vibration input, and many other types of input or output modules. The functionality of the I/O Module can be embedded in the controller or as a separate module connected via chassis or I/O link.",
"rdfs:isDefinedBy": {
"@id": "https://consteel-electronics.com/articles/what-is-IO-module"
},
"rdfs:label": "OT I/O Module",
"rdfs:seeAlso": {
"@id": "https://www.rockwellautomation.com/en-us/support/documentation/technical/i-o/compact-5000-i-o-modules.html"
},
"rdfs:subClassOf": [
{
"@id": "d3f:IOModule"
},
{
"@id": "_:Ne63698ee37374eee84862f6d206b6be7"
},
{
"@id": "_:N43d2ec02ad0d42d1840813e7ad60fe69"
}
],
"skos:example": "Rockwell Compact 5000 IO Module"
},
{
"@id": "_:Ne63698ee37374eee84862f6d206b6be7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:communicates-with"
},
"owl:someValuesFrom": {
"@id": "d3f:OTActuator"
}
},
{
"@id": "_:N43d2ec02ad0d42d1840813e7ad60fe69",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:communicates-with"
},
"owl:someValuesFrom": {
"@id": "d3f:OTSensor"
}
},
{
"@id": "d3f:T1505.006",
"@type": "owl:Class",
"d3f:attack-id": "T1505.006",
"d3f:definition": "Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.",
"rdfs:label": "vSphere Installation Bundles",
"rdfs:subClassOf": {
"@id": "d3f:T1505"
}
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/EP3293937A1/en?oq=EP-3293937-A1"
},
"d3f:kb-abstract": "Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.\n\nSome examples of data inputs:\n Information for clients and servers, such as IP address and host information\n Payloads for both clients and servers\n Amount of data being transferred\n Duration of communications\n Length of time delay between client request and server response",
"d3f:kb-author": "Nicolas Beauchesne; John Steven Mancini",
"d3f:kb-mitre-analysis": "Extraction of network flow data and using unsupervised machine learning to create a standard baseline. During the monitoring phase, abnormal network metadata will result in an alert.",
"d3f:kb-organization": "Vectra Networks Inc",
"d3f:kb-reference-of": {
"@id": "d3f:Client-serverPayloadProfiling"
},
"d3f:kb-reference-title": "Method and system for detecting malicious payloads",
"rdfs:label": "Reference - Method and system for detecting malicious payloads - Vectra Networks Inc"
},
{
"@id": "d3f:Centroid-basedClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-CBC",
"d3f:definition": "Centroid-based clustering organizes the data into non-hierarchical clusters, in contrast to hierarchical clustering defined below. K-means is the most widely-used centroid-based clustering algorithm. Centroid-based algorithms are efficient but sensitive to initial conditions and outliers.",
"d3f:kb-article": "## References\nGoogle Developers. (n.d.). Clustering Algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)",
"rdfs:label": "Centroid-based Clustering",
"rdfs:subClassOf": {
"@id": "d3f:ClusterAnalysis"
}
},
{
"@id": "d3f:OTDeviceIdentificationMessageEvent",
"@type": "owl:Class",
"d3f:definition": "Identify devices on the network.",
"rdfs:label": "OT Device Identification Message Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTDeviceManagementMessageEvent"
},
{
"@id": "_:N7beb4c357e874834a77e697e189f819e"
}
]
},
{
"@id": "_:N7beb4c357e874834a77e697e189f819e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTDeviceIdentificationMessage"
}
},
{
"@id": "d3f:CWE-59",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-59",
"d3f:definition": "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.",
"d3f:synonym": [
"Zip Slip",
"insecure temporary file"
],
"rdfs:label": "Improper Link Resolution Before File Access ('Link Following')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-706"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SC-3_1",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Security Function Isolation | Hardware Separation",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:ExecutionIsolation"
},
"rdfs:label": "SC-3(1)"
},
{
"@id": "d3f:ProcessCreationEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a new process is spawned, initializing its execution context and resource allocation.",
"rdfs:label": "Process Creation Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessEvent"
},
{
"@id": "_:N8de8ded3a24344d8ac9ab15b6c14dfa4"
}
]
},
{
"@id": "_:N8de8ded3a24344d8ac9ab15b6c14dfa4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessStartFunction"
}
},
{
"@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20190034641A1"
},
"d3f:kb-abstract": "The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment.",
"d3f:kb-author": "Sylvain Gil; Domingo Mihovilovic; Nir Polak; Magnus Stensmo; Sing Yip",
"d3f:kb-mitre-analysis": "This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:\n\n* client devices from which the user logs in\n* servers accessed\n* data accessed\n* applications accessed\n* session duration\n* logon time of day\n* logon day of week\n* geo - location of logon origination\n\nThe system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.",
"d3f:kb-organization": "Exabeam Inc",
"d3f:kb-reference-of": [
{
"@id": "d3f:AuthenticationEventThresholding"
},
{
"@id": "d3f:AuthorizationEventThresholding"
},
{
"@id": "d3f:ResourceAccessPatternAnalysis"
},
{
"@id": "d3f:SessionDurationAnalysis"
},
{
"@id": "d3f:UserGeolocationLogonPatternAnalysis"
}
],
"d3f:kb-reference-title": "System, method, and computer program product for detecting and assessing security risks in a network",
"rdfs:label": "Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc"
},
{
"@id": "d3f:MicrosoftWordDOTFile",
"@type": [
"owl:NamedIndividual",
"d3f:DocumentFile"
],
"rdfs:label": "Microsoft Word DOT File"
},
{
"@id": "d3f:CWE-651",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-651",
"d3f:definition": "The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).",
"rdfs:label": "Exposure of WSDL File Containing Sensitive Information",
"rdfs:subClassOf": {
"@id": "d3f:CWE-538"
}
},
{
"@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20190205511A1"
},
"d3f:kb-abstract": "Systems, methods, and related technologies for account access monitoring are described. In certain aspects, a login request associated with a device can be analyzed and a score determined. The score and a threshold can be used to determine whether to initiate an action.",
"d3f:kb-author": "Chunhui Zhan, Siying Yang",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Forescout Technologies",
"d3f:kb-reference-of": {
"@id": "d3f:AccountLocking"
},
"d3f:kb-reference-title": "Account monitoring",
"rdfs:label": "Reference - Account monitoring - Forescout Technologies"
},
{
"@id": "d3f:T1568",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1568",
"d3f:definition": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
"d3f:produces": {
"@id": "d3f:OutboundInternetDNSLookupTraffic"
},
"rdfs:label": "Dynamic Resolution",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:Nb7c163eda5aa4a53ab78f08fd550551c"
}
]
},
{
"@id": "_:Nb7c163eda5aa4a53ab78f08fd550551c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetDNSLookupTraffic"
}
},
{
"@id": "d3f:RestoreObject",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RestoreObject"
],
"d3f:d3fend-id": "D3-RO",
"d3f:definition": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
"d3f:enables": {
"@id": "d3f:Restore"
},
"rdfs:label": "Restore Object",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:N3e59ffd755e841ab964acdbd3b7bbb67"
}
]
},
{
"@id": "_:N3e59ffd755e841ab964acdbd3b7bbb67",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Restore"
}
},
{
"@id": "d3f:RangeMatching",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-RM",
"d3f:definition": "Numeric Range Matching determines if a value lies with an interval of values (i.e., within the range of values.)",
"rdfs:label": "Range Matching",
"rdfs:subClassOf": {
"@id": "d3f:NumericPatternMatching"
}
},
{
"@id": "d3f:T1055.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1055.003",
"d3f:definition": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.",
"d3f:invokes": {
"@id": "d3f:SystemCall"
},
"d3f:may-add": {
"@id": "d3f:ExecutableBinary"
},
"rdfs:label": "Thread Execution Hijacking",
"rdfs:subClassOf": [
{
"@id": "d3f:T1055"
},
{
"@id": "_:N517127fd9fd24a8b9a7ec66401f6e158"
},
{
"@id": "_:N596858a8fc8b4b4b8f37115607c9bbb9"
}
]
},
{
"@id": "_:N517127fd9fd24a8b9a7ec66401f6e158",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemCall"
}
},
{
"@id": "_:N596858a8fc8b4b4b8f37115607c9bbb9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-add"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableBinary"
}
},
{
"@id": "d3f:T1586",
"@type": "owl:Class",
"d3f:attack-id": "T1586",
"d3f:definition": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.",
"rdfs:label": "Compromise Accounts",
"rdfs:subClassOf": {
"@id": "d3f:ResourceDevelopmentTechnique"
}
},
{
"@id": "d3f:T1491.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1491.001",
"d3f:definition": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
"d3f:modifies": {
"@id": "d3f:Resource"
},
"rdfs:label": "Internal Defacement",
"rdfs:subClassOf": [
{
"@id": "d3f:T1491"
},
{
"@id": "_:Nf75598aa027e4748bf361b7efce897a5"
}
]
},
{
"@id": "_:Nf75598aa027e4748bf361b7efce897a5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:Resource"
}
},
{
"@id": "d3f:ServiceRestartEvent",
"@type": "owl:Class",
"d3f:definition": "An event describing the sequential stopping and starting of a service application to refresh its state, apply updates, or resolve operational issues.",
"rdfs:label": "Service Restart Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ApplicationRestartEvent"
},
{
"@id": "d3f:ServiceEvent"
},
{
"@id": "_:N72f632ac27814af1ac7eefe321edc728"
},
{
"@id": "_:N561660c322684af7812b1feecf1a5fcd"
}
]
},
{
"@id": "_:N72f632ac27814af1ac7eefe321edc728",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceStopEvent"
}
},
{
"@id": "_:N561660c322684af7812b1feecf1a5fcd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:precedes"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceStartEvent"
}
},
{
"@id": "d3f:CCI-001941_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:One-timePassword"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-05-03T00:00:00"
},
"rdfs:label": "CCI-001941"
},
{
"@id": "d3f:EmailReceiveEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an email is delivered to a recipient's mail server or mailbox. This includes receiving messages from internal or external sources via protocols such as IMAP, POP3, or their secure variants.",
"rdfs:label": "Email Receive Event",
"rdfs:subClassOf": [
{
"@id": "d3f:EmailEvent"
},
{
"@id": "_:Nd59176fd4be44eb8aa7977704618d359"
}
]
},
{
"@id": "_:Nd59176fd4be44eb8aa7977704618d359",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:EmailSendEvent"
}
},
{
"@id": "d3f:T1574.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1574.006",
"d3f:definition": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)",
"d3f:modifies": {
"@id": "d3f:OperatingSystemConfigurationFile"
},
"rdfs:label": "Dynamic Linker Hijacking",
"rdfs:subClassOf": [
{
"@id": "d3f:T1574"
},
{
"@id": "_:N2bd40415b4cc4646b0db6beda026055d"
}
]
},
{
"@id": "_:N2bd40415b4cc4646b0db6beda026055d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemConfigurationFile"
}
},
{
"@id": "d3f:Reference-Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf"
},
"d3f:kb-author": "Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern",
"d3f:kb-reference-of": {
"@id": "d3f:StrongPasswordPolicy"
},
"d3f:kb-reference-title": "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords",
"rdfs:label": "Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords"
},
{
"@id": "d3f:CWE-1269",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1269",
"d3f:definition": "The product released to market is released in pre-production or manufacturing configuration.",
"rdfs:label": "Product Released in Non-Release Configuration",
"rdfs:subClassOf": {
"@id": "d3f:CWE-693"
}
},
{
"@id": "d3f:CWE-1048",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1048",
"d3f:definition": "The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.",
"rdfs:label": "Invokable Control Element with Large Number of Outward Calls",
"rdfs:subClassOf": {
"@id": "d3f:CWE-710"
}
},
{
"@id": "d3f:ExecutableScript",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An executable script is written in a scripting language and interpreted at run time. This is in contrast with an executable binary, which contains machine code instructions for a physical CPU or byte code for a virtual machine.",
"rdfs:label": "Executable Script",
"rdfs:seeAlso": {
"@id": "dbr:Executable"
},
"rdfs:subClassOf": {
"@id": "d3f:ExecutableFile"
}
},
{
"@id": "d3f:Reference-AuditUserAccountManagement",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"
},
"d3f:kb-abstract": "Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.",
"d3f:kb-organization": "Microsoft",
"d3f:kb-reference-of": [
{
"@id": "d3f:DomainAccountMonitoring"
},
{
"@id": "d3f:LocalAccountMonitoring"
}
],
"d3f:kb-reference-title": "Audit User Account Management",
"rdfs:label": "Reference - Audit User Account Management"
},
{
"@id": "d3f:T1666",
"@type": "owl:Class",
"d3f:attack-id": "T1666",
"d3f:definition": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.",
"rdfs:label": "Modify Cloud Resource Hierarchy",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:TranslationLookasideBuffer",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location. It is a part of the chip's memory-management unit (MMU).",
"rdfs:isDefinedBy": {
"@id": "https://dbpedia.org/page/Translation_lookaside_buffer"
},
"rdfs:label": "Translation Lookaside Buffer",
"rdfs:subClassOf": {
"@id": "d3f:MemoryManagementUnitComponent"
}
},
{
"@id": "d3f:PeripheralFirmwareVerification",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:PeripheralFirmwareVerification"
],
"d3f:d3fend-id": "D3-PFV",
"d3f:definition": "Cryptographically verifying peripheral firmware integrity.",
"d3f:kb-article": "# How it works\nPeripherial firmware is collected and analyzed on a host either periodically or on demand. This information may be collected for future comparisons.\n\nChanges in firmware hash values may indicate that the firmware has been tampered with or that firmware images are not maintained to current baselined versions, or even known vulnerable versions are deployed.\n\n## Considerations\n* Trust baselines will need to be generated for specific devices\n* Changes to trusted configurations will need to be managed across the enterprise",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-FirmwareVerificationEclypsium"
},
{
"@id": "d3f:Reference-FirmwareVerificationTrapezoid"
}
],
"d3f:verifies": {
"@id": "d3f:PeripheralFirmware"
},
"rdfs:label": "Peripheral Firmware Verification",
"rdfs:subClassOf": [
{
"@id": "d3f:FirmwareVerification"
},
{
"@id": "_:N0678b2fc9bb74012a6adea7da8e30871"
}
]
},
{
"@id": "_:N0678b2fc9bb74012a6adea7da8e30871",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:verifies"
},
"owl:someValuesFrom": {
"@id": "d3f:PeripheralFirmware"
}
},
{
"@id": "d3f:T1053.007",
"@type": "owl:Class",
"d3f:attack-id": "T1053.007",
"d3f:definition": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.",
"rdfs:label": "Container Orchestration Job",
"rdfs:subClassOf": {
"@id": "d3f:T1053"
}
},
{
"@id": "d3f:CWE-1323",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1323",
"d3f:definition": "Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.",
"rdfs:label": "Improper Management of Sensitive Trace Data",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-2_6",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Flaw Remediation | Removal of Previous Versions of Software and Firmware",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:FirmwareVerification"
},
{
"@id": "d3f:PeripheralFirmwareVerification"
},
{
"@id": "d3f:SoftwareUpdate"
},
{
"@id": "d3f:SystemFirmwareVerification"
}
],
"rdfs:label": "SI-2(6)"
},
{
"@id": "d3f:T1569",
"@type": "owl:Class",
"d3f:attack-id": "T1569",
"d3f:definition": "This technique has been deprecated.",
"rdfs:label": "System Services",
"rdfs:subClassOf": {
"@id": "d3f:ExecutionTechnique"
}
},
{
"@id": "d3f:start",
"@type": "owl:ObjectProperty",
"rdfs:label": "start",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-process-object-property"
}
},
{
"@id": "d3f:CWE-305",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-305",
"d3f:definition": "The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.",
"rdfs:label": "Authentication Bypass by Primary Weakness",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1390"
}
},
{
"@id": "d3f:summarizes",
"@type": "owl:ObjectProperty",
"d3f:definition": "x summarizes y: The sensor x summarizes a set y of events concerning digital artifacts over time.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/02758570-v"
},
"rdfs:label": "summarizes",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:NetworkPacket",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A network packet is a formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream. When data is formatted into packets, packet switching is possible and the bandwidth of the communication medium can be better shared among users than with circuit switching.",
"rdfs:isDefinedBy": {
"@id": "dbr:Network_packet"
},
"rdfs:label": "Network Packet",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:CCI-002397_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002397"
},
{
"@id": "d3f:OTDeviceDescriptionMessage",
"@type": "owl:Class",
"d3f:definition": "Describe features, abilities, or performance of system components.",
"rdfs:comment": [
"ENIP: List Services\nENIP: List Interfaces ",
"GE-SRTP: RETURN CONTROL PROGRAM NAMES\nGE-SRTP: RETURN CONTROLLER TYPE AND ID INFORMATION"
],
"rdfs:label": "OT Device Description Message",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTDeviceManagementMessage"
}
},
{
"@id": "d3f:ATTACKEnterpriseTechnique",
"@type": "owl:Class",
"rdfs:label": "ATTACK Enterprise Technique",
"rdfs:subClassOf": {
"@id": "d3f:ATTACKEnterpriseThing"
}
},
{
"@id": "d3f:LinuxVfork",
"@type": "owl:Class",
"d3f:definition": "Create child process that temp suspends parent process until it terminates.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/vfork.2.html"
},
"rdfs:label": "Linux Vfork",
"rdfs:subClassOf": {
"@id": "d3f:OSAPICreateProcess"
}
},
{
"@id": "d3f:Reference-RFC7642SystemForCrossDomainIdentityManagementDefinitionsOverviewConceptsAndRequirements",
"@type": [
"owl:NamedIndividual",
"d3f:SpecificationReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://datatracker.ietf.org/doc/html/rfc7642"
},
"d3f:kb-abstract": "The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. The intent of the SCIM specification is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud.",
"d3f:kb-author": "K. LI, B. Khasnabish, A. Nadalin, Z. Zeltsan",
"d3f:kb-organization": "IETF",
"d3f:kb-reference-of": {
"@id": "d3f:AccessModeling"
},
"d3f:kb-reference-title": "RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements",
"rdfs:label": "Reference - RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements"
},
{
"@id": "d3f:DomainRegistrationTakedown",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DomainRegistrationTakedown"
],
"d3f:d3fend-id": "D3-DRT",
"d3f:definition": "The process of performing a takedown of the attacker's domain registration infrastructure.",
"d3f:deletes": {
"@id": "d3f:DomainRegistration"
},
"d3f:kb-article": "## How it works\n\nMost nameserver hosts and domain name registrars comply with internationally recognised standards and supply their services based on terms and conditions that provide users and organisations protection from abuse and trademark infringement. Performing a WHOIS query on the attacker's domain will provide a contact that can be notified in the case of abuse. Formal takedown processes should be initiated to suspend or disable the normal function of the domain name.\n\n## Considerations\n\n- Takedown notifications should clearly demonstrate (with evidence) that the nameserver or registrars Terms and Conditions have been breached.\n- Takedown processes are notoriously slow and sometimes unsuccessful.\n- Many government organisations will have takedown processes that should also be followed. They may use this for intelligence to assist other organisations suffering an attack.\n- Top level domain registrars will have takedown processes that can be followed, as an escalation path, when the nameserver host and/or registrar have not responded or complied timeously or inline with the TLD expectations.\n\n## Examples of Domain Registration Abuse\n\nAttackers will create infrastructure from which to carry out their operations and this may include registering domain names to be used in the various attacks. Known misuse cases include:\n\n- Registering domain names that are similar to the victim's. This is known as typosquatting or URL hijacking. Legitimate looking mails or URLs could be sent using this domain in phishing campaigns.\n- Registring domain names that are used in C2 beacons.",
"d3f:kb-reference": {
"@id": "d3f:Reference-UnderstandingtheDomainRegistrationBehaviorofSpammers"
},
"rdfs:label": "Domain Registration Takedown",
"rdfs:subClassOf": [
{
"@id": "d3f:ObjectEviction"
},
{
"@id": "_:N73755bc01bea47a585ea303412f5cd96"
}
]
},
{
"@id": "_:N73755bc01bea47a585ea303412f5cd96",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:deletes"
},
"owl:someValuesFrom": {
"@id": "d3f:DomainRegistration"
}
},
{
"@id": "d3f:CWE-1297",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1297",
"d3f:definition": "The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.",
"rdfs:label": "Unprotected Confidential Information on Device is Accessible by OSAT Vendors",
"rdfs:subClassOf": {
"@id": "d3f:CWE-285"
}
},
{
"@id": "d3f:Restore",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DefensiveTactic"
],
"d3f:definition": "The restore tactic is used to return the system to a better state.",
"d3f:display-order": 5,
"d3f:display-priority": 0,
"rdfs:label": "Restore",
"rdfs:subClassOf": {
"@id": "d3f:DefensiveTactic"
}
},
{
"@id": "d3f:CWE-645",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-645",
"d3f:definition": "The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.",
"rdfs:label": "Overly Restrictive Account Lockout Mechanism",
"rdfs:subClassOf": {
"@id": "d3f:CWE-287"
}
},
{
"@id": "d3f:CWE-1107",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1107",
"d3f:definition": "The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.",
"rdfs:label": "Insufficient Isolation of Symbolic Constant Definitions",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1078"
}
},
{
"@id": "d3f:process-ancestor",
"@type": [
"owl:ObjectProperty",
"owl:TransitiveProperty"
],
"d3f:definition": "x process-ancestor y: The process y is a process ancestor of process x, indicating one or more process creation events were conducted were started at process y and subsequently created process x.",
"rdfs:label": "process-ancestor",
"rdfs:subPropertyOf": {
"@id": "d3f:process-property"
}
},
{
"@id": "d3f:T1583.008",
"@type": "owl:Class",
"d3f:attack-id": "T1583.008",
"d3f:definition": "Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.",
"rdfs:label": "Malvertising",
"rdfs:subClassOf": {
"@id": "d3f:T1583"
}
},
{
"@id": "d3f:CWE-525",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-525",
"d3f:definition": "The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.",
"rdfs:label": "Use of Web Browser Cache Containing Sensitive Information",
"rdfs:subClassOf": {
"@id": "d3f:CWE-524"
}
},
{
"@id": "d3f:T1486",
"@type": "owl:Class",
"d3f:attack-id": "T1486",
"d3f:definition": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)",
"rdfs:label": "Data Encrypted for Impact",
"rdfs:subClassOf": {
"@id": "d3f:ImpactTechnique"
}
},
{
"@id": "d3f:WindowsOpenProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Opens an existing local process object.",
"d3f:invokes": {
"@id": "d3f:WindowsNtOpenProcess"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess"
},
"rdfs:label": "Windows OpenProcess",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPITraceProcess"
},
{
"@id": "_:Nc0441b7b0f9a445695b13f0bca66a82c"
}
]
},
{
"@id": "_:Nc0441b7b0f9a445695b13f0bca66a82c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtOpenProcess"
}
},
{
"@id": "d3f:ProtocolMetadataAnomalyDetection",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ProtocolMetadataAnomalyDetection"
],
"d3f:analyzes": {
"@id": "d3f:NetworkTraffic"
},
"d3f:d3fend-id": "D3-PMAD",
"d3f:definition": "Collecting network communication protocol metadata and identifying statistical outliers.",
"d3f:kb-article": "## How it works\nNetwork protocol metadata is first collected and processed in real-time or post-facto. Metadata may include packet header information or information about a session (ex. time between requests/responses). Metadata is then grouped based on shared characteristics and those groups are compared to each other. If particular metadata differs significantly from other data, an alert is generated, identifying the network event as anomalous. Anomalous activity may indicate unauthorized activity.\n\n## Considerations\nMetadata collection on enterprises can yield large data sets. Storage, indexing, querying, and aging should be considered prior to implementation.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc"
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc"
},
{
"@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc"
}
],
"rdfs:label": "Protocol Metadata Anomaly Detection",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "_:N0d72ab940b404579aa04b2f0c160f20b"
}
]
},
{
"@id": "_:N0d72ab940b404579aa04b2f0c160f20b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "d3f:FileContentBlockMetadata",
"@type": "owl:Class",
"d3f:definition": "Content Blocks may contain metadata specific to the block's content at the beginning.",
"rdfs:label": "File Content Block Metadata",
"rdfs:subClassOf": {
"@id": "d3f:FileMetadata"
}
},
{
"@id": "d3f:MemoryProtectionUnit",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A Memory Protection Unit (MPU) is a processor component that enforces access control policies on memory regions to ensure the integrity, security, and proper operation of a computing system.",
"d3f:synonym": "MPU",
"rdfs:label": "Memory Protection Unit",
"rdfs:subClassOf": {
"@id": "d3f:ProcessorComponent"
}
},
{
"@id": "d3f:HostGroup",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:Host"
},
"d3f:definition": "A collection of Hosts used to allow operations such as access control to be applied to the entire group.",
"rdfs:label": "Host Group",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessControlGroup"
},
{
"@id": "_:Naf6c2133d23a4d8ebd1315715f426730"
}
]
},
{
"@id": "_:Naf6c2133d23a4d8ebd1315715f426730",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:Host"
}
},
{
"@id": "d3f:Autoencoding",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-AUT",
"d3f:definition": "Autoencoders are specific type of deep learning architecture used for learning representation of data, typically for the purpose of dimensionality reduction. This is achieved by designing deep learning architecture that aims that copying input layer at its output layer.",
"d3f:kb-article": "## References\nSOCR. (n.d.). ABIDE Autoencoder. [Link](https://socr.umich.edu/HTML5/ABIDE_Autoencoder/#:~:text=In%20simple%20words%2C%20autoencoders%20are,layer%20at%20its%20output%20layer.)",
"rdfs:label": "Autoencoding",
"rdfs:subClassOf": {
"@id": "d3f:DimensionReduction"
}
},
{
"@id": "d3f:T1200",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1200",
"d3f:connects": {
"@id": "d3f:HardwareDevice"
},
"d3f:definition": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.",
"rdfs:label": "Hardware Additions",
"rdfs:subClassOf": [
{
"@id": "d3f:InitialAccessTechnique"
},
{
"@id": "_:N25f051a03aa340ccba5318dffd451b51"
}
]
},
{
"@id": "_:N25f051a03aa340ccba5318dffd451b51",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:connects"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:CWE-1328",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1328",
"d3f:definition": "Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.",
"rdfs:label": "Security Version Number Mutable to Older Versions",
"rdfs:subClassOf": {
"@id": "d3f:CWE-285"
}
},
{
"@id": "d3f:CWE-402",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-402",
"d3f:definition": "The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.",
"d3f:synonym": "Resource Leak",
"rdfs:label": "Transmission of Private Resources into a New Sphere ('Resource Leak')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-668"
}
},
{
"@id": "d3f:RuntimeVariable",
"@type": "owl:Class",
"d3f:definition": "A runtime variable is an abstract storage location paired with an associated symbolic name, which contains some known or unknown quantity of data or object referred to as a value, which can change during the execution of a computer program.",
"rdfs:label": "Runtime Variable",
"rdfs:seeAlso": {
"@id": "https://dbpedia.org/page/Variable_(computer_science)"
},
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:OperatingSystemConfigurationComponent",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An component of the overall information necessary for the configuration of an operating system.",
"rdfs:label": "Operating System Configuration Component",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/03085025-n"
},
"rdfs:subClassOf": {
"@id": "d3f:OperatingSystemConfiguration"
},
"skos:altLabel": [
"Operating System Configuration Information",
"System Configuration"
]
},
{
"@id": "d3f:EmbeddedDatabaseApplication",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A software application that integrates a database management system (DBMS) directly within its own structure, rather than relying on a separate, standalone database server. Examples include SQLite and Berkeley DB.",
"d3f:executes": {
"@id": "d3f:DatabaseQuery"
},
"d3f:manages": {
"@id": "d3f:Database"
},
"rdfs:label": "Embedded Database Application",
"rdfs:subClassOf": [
{
"@id": "d3f:DatabaseApplication"
},
{
"@id": "_:N8d33208028f64dff9a95a0fdc3c48dee"
},
{
"@id": "_:Na322940f81844b838863d81687758f45"
}
]
},
{
"@id": "_:N8d33208028f64dff9a95a0fdc3c48dee",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:executes"
},
"owl:someValuesFrom": {
"@id": "d3f:DatabaseQuery"
}
},
{
"@id": "_:Na322940f81844b838863d81687758f45",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:manages"
},
"owl:someValuesFrom": {
"@id": "d3f:Database"
}
},
{
"@id": "d3f:CCI-002465_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:DomainTrustPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002465"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-3_3",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": [
{
"@id": "d3f:FileAnalysis"
},
{
"@id": "d3f:IdentifierAnalysis"
},
{
"@id": "d3f:MessageAnalysis"
},
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "d3f:PlatformMonitoring"
},
{
"@id": "d3f:ProcessAnalysis"
},
{
"@id": "d3f:UserBehaviorAnalysis"
}
],
"d3f:control-name": "Risk Assessment | Dynamic Threat Awareness",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "RA-3(3)"
},
{
"@id": "d3f:CWE-1188",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1188",
"d3f:definition": "The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.",
"rdfs:label": [
"Initialization of a Resource with an Insecure Default",
"Insecure Default Initialization of Resource"
],
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1419"
},
{
"@id": "d3f:CWE-665"
}
]
},
{
"@id": "d3f:contained-by",
"@type": [
"owl:ObjectProperty",
"owl:TransitiveProperty"
],
"d3f:definition": "x contained-by y: The entity x exists within or is physically or logically enclosed by entity y.",
"owl:inverseOf": {
"@id": "d3f:contains"
},
"rdfs:label": "contained-by",
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:may-be-contained-by"
}
]
},
{
"@id": "d3f:T1583.005",
"@type": "owl:Class",
"d3f:attack-id": "T1583.005",
"d3f:definition": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)",
"rdfs:label": "Botnet",
"rdfs:subClassOf": {
"@id": "d3f:T1583"
}
},
{
"@id": "d3f:T1053.006",
"@type": "owl:Class",
"d3f:attack-id": "T1053.006",
"d3f:definition": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)",
"rdfs:label": "Systemd Timers",
"rdfs:subClassOf": {
"@id": "d3f:T1053"
}
},
{
"@id": "d3f:HTTPTraceEvent",
"@type": "owl:Class",
"d3f:definition": "An event where the HTTP TRACE method is used to perform a message loop-back test along the path to the target resource.",
"rdfs:label": "HTTP TRACE Event",
"rdfs:subClassOf": {
"@id": "d3f:HTTPRequestEvent"
}
},
{
"@id": "d3f:CCI-002463_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides data origin artifacts for internal name/address resolution queries.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:DomainTrustPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002463"
},
{
"@id": "d3f:OTCreateNewControlProgramCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Commands a remote device to create an control program.",
"rdfs:label": "OT Create New Control Program Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyControlProgramCommandEvent"
},
{
"@id": "_:N708f3c4a691840dfb8fcf34beb242429"
},
{
"@id": "_:Nb4c2d956a7dc4f3e88d8363f72346857"
}
]
},
{
"@id": "_:N708f3c4a691840dfb8fcf34beb242429",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTControlProgram"
}
},
{
"@id": "_:Nb4c2d956a7dc4f3e88d8363f72346857",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTCreateNewControlProgramCommand"
}
},
{
"@id": "d3f:T1499.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1499.002",
"d3f:definition": "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.",
"d3f:produces": {
"@id": "d3f:InboundInternetNetworkTraffic"
},
"rdfs:label": "Service Exhaustion Flood",
"rdfs:subClassOf": [
{
"@id": "d3f:T1498"
},
{
"@id": "_:N0b6ccacdc2e245cf982e43afed3fd624"
}
]
},
{
"@id": "_:N0b6ccacdc2e245cf982e43afed3fd624",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:InboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:TechniqueReference",
"@type": "owl:Class",
"d3f:definition": "A reference used to develop KB articles.",
"d3f:pref-label": "Technique Reference",
"rdfs:label": "Technique Reference",
"rdfs:subClassOf": [
{
"@id": "d3f:D3FENDKBThing"
},
{
"@id": "_:N1d45b85f78c342d58c61515509627134"
},
{
"@id": "_:Nc8d0ba9ba0fa444b969157433829cd38"
},
{
"@id": "_:Na3a49b98c9f842f18782b801da255979"
}
]
},
{
"@id": "_:N1d45b85f78c342d58c61515509627134",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:kb-reference-of"
},
"owl:someValuesFrom": {
"@id": "d3f:DefensiveTechnique"
}
},
{
"@id": "_:Nc8d0ba9ba0fa444b969157433829cd38",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-link"
},
"owl:someValuesFrom": {
"@id": "xsd:anyURI"
}
},
{
"@id": "_:Na3a49b98c9f842f18782b801da255979",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:kb-reference-title"
},
"owl:someValuesFrom": {
"@id": "xsd:string"
}
},
{
"@id": "d3f:CWE-684",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-684",
"d3f:definition": "The code does not function according to its published specifications, potentially leading to incorrect usage.",
"rdfs:label": "Incorrect Provision of Specified Functionality",
"rdfs:subClassOf": {
"@id": "d3f:CWE-710"
}
},
{
"@id": "d3f:ProcessorComponent",
"@type": "owl:Class",
"d3f:definition": "A Processor Component is a functional subunit or module within a processor that performs specific tasks to support the processor's overall operation.",
"rdfs:label": "Processor Component",
"rdfs:seeAlso": {
"@id": "d3f:Processor"
},
"rdfs:subClassOf": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:CWE-190",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-190",
"d3f:definition": "The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.",
"d3f:synonym": [
"Overflow",
"Wraparound",
"wrap, wrap-around, wrap around"
],
"d3f:weakness-of": {
"@id": "d3f:MathematicalFunction"
},
"rdfs:label": "Integer Overflow or Wraparound",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-682"
},
{
"@id": "_:N6442a108f9ef4ff28f02b3b6be306089"
}
]
},
{
"@id": "_:N6442a108f9ef4ff28f02b3b6be306089",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:MathematicalFunction"
}
},
{
"@id": "d3f:T1590",
"@type": "owl:Class",
"d3f:attack-id": "T1590",
"d3f:definition": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.",
"rdfs:label": "Gather Victim Network Information",
"rdfs:subClassOf": {
"@id": "d3f:ReconnaissanceTechnique"
}
},
{
"@id": "d3f:GraphicsProcessingUnit",
"@type": "owl:Class",
"d3f:definition": "A Graphics Processing Unit (GPU) is a specialized processor designed to efficiently perform parallel computations, primarily for rendering graphics and visual data.",
"d3f:synonym": "GPU",
"rdfs:label": "Graphics Processing Unit",
"rdfs:subClassOf": {
"@id": "d3f:Processor"
}
},
{
"@id": "d3f:T1001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1001",
"d3f:definition": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.",
"d3f:produces": {
"@id": "d3f:OutboundInternetNetworkTraffic"
},
"rdfs:label": "Data Obfuscation",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:Nf9ca2d0c417243fba9d2f7036fc3e55d"
}
]
},
{
"@id": "_:Nf9ca2d0c417243fba9d2f7036fc3e55d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:CCI-002346_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:DatabaseQueryStringAnalysis"
},
{
"@id": "d3f:DiskEncryption"
},
{
"@id": "d3f:FileEncryption"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-25T00:00:00"
},
"rdfs:label": "CCI-002346"
},
{
"@id": "d3f:T1503",
"@type": "owl:Class",
"d3f:attack-id": "T1503",
"d3f:definition": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1555.003",
"rdfs:label": "Credentials from Web Browsers",
"rdfs:seeAlso": "T1555.003",
"rdfs:subClassOf": {
"@id": "d3f:CredentialAccessTechnique"
}
},
{
"@id": "d3f:OperatingSystemProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An operating system process, or system process, is a process running to perform operating system functions.",
"rdfs:label": "Operating System Process",
"rdfs:seeAlso": {
"@id": "http://people.scs.carleton.ca/~maheshwa/courses/300/l4/node7.html"
},
"rdfs:subClassOf": {
"@id": "d3f:Process"
},
"skos:altLabel": "System Process"
},
{
"@id": "d3f:DataExchangeMapping",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DataExchangeMapping"
],
"d3f:d3fend-id": "D3-DEM",
"d3f:definition": "Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CatiaUAFPlugin"
},
{
"@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources"
},
{
"@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
}
],
"d3f:maps": {
"@id": "d3f:DataDependency"
},
"d3f:synonym": [
"Data Flow Mapping",
"Information Exchange Mapping"
],
"rdfs:label": "Data Exchange Mapping",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemMapping"
},
{
"@id": "_:Nc9eb0a7699264313a9f76ac607d836be"
}
]
},
{
"@id": "_:Nc9eb0a7699264313a9f76ac607d836be",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:maps"
},
"owl:someValuesFrom": {
"@id": "d3f:DataDependency"
}
},
{
"@id": "d3f:T1118",
"@type": "owl:Class",
"d3f:attack-id": "T1118",
"d3f:definition": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1218.004",
"rdfs:label": "InstallUtil",
"rdfs:seeAlso": "T1218.004",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:ExecutionTechnique"
}
]
},
{
"@id": "d3f:PasswordStore",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A user repository of account passwords, often accessed via a password manager.",
"rdfs:label": "Password Store",
"rdfs:seeAlso": {
"@id": "dbr:Password_manager"
},
"rdfs:subClassOf": {
"@id": "d3f:PasswordDatabase"
}
},
{
"@id": "d3f:DS0004",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries",
"d3f:narrower": [
{
"@id": "d3f:FileHash"
},
{
"@id": "d3f:ImageCodeSegment"
}
],
"rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Scheduled Job Metadata component",
"rdfs:label": "Malware Repository (ATT&CK DS)"
},
{
"@id": "d3f:CWE-563",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-563",
"d3f:definition": "The variable's value is assigned but never used, making it a dead store.",
"d3f:synonym": "Unused Variable",
"rdfs:label": "Assignment to Variable without Use",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1164"
}
},
{
"@id": "d3f:GroupPolicy",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy (\"LGPO\" or \"LocalGPO\") also allows Group Policy Object management on standalone and non-domain computers.",
"rdfs:label": "Group Policy",
"rdfs:subClassOf": {
"@id": "d3f:AccessControlConfiguration"
}
},
{
"@id": "d3f:Reference-OSQueryWindowsUserCollectionCode",
"@type": [
"owl:NamedIndividual",
"d3f:SourceCodeReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/tables/system/windows/users.cpp"
},
"d3f:kb-reference-title": "OS Query Windows User Collection Code",
"rdfs:label": "Reference - OS Query Windows User Collection Code"
},
{
"@id": "d3f:CCI-000199_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces maximum password lifetime restrictions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:StrongPasswordPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-15T00:00:00"
},
"rdfs:label": "CCI-000199"
},
{
"@id": "d3f:OTTimeCommand",
"@type": "owl:Class",
"d3f:definition": "Read, set, or calculate timing mechanisms.",
"rdfs:comment": [
"BACnet: timeSynchronization\nBACnet: utcTimeSynchronization ",
"GE-SRTP: SET PLC TIME/DATE\nGE-SRTP: RETURN PLC TIME/DATE"
],
"rdfs:label": "OT Time Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTDeviceManagementMessage"
}
},
{
"@id": "d3f:LogicalRules",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-LR",
"d3f:definition": "A logical rule matches event data or set of values to a conditional expression and results in the determination of a truth value, which may be used to determine the next action or step to take.",
"d3f:kb-article": "## How it works\n\nLogic rules define a set of patterns that in some patterns must match input data. If the the conditions are met, then the rule will \"fire\" and some action will be taken, usually notifying a person or another system that the event being monitored needs further processing or attention.\n\n## Key Test Considerations\n\n- **Performance (Accuracy)** Identify instances in data where rule is expected to be triggered. Implement traceability and metrics for individual rule performance. Traceability of cases could be implemented as unit tests or as part of a fine-grained classification performance platform. For simple rule-based matching systems with many rules, individual rules may be unused or may create unusually high false positives (or false negatives relative to expectation.\n\n- **Performance (Computational)** Generate model performance measures (see Classification Performance Measures), esp. a confusion matrix for each rule and identify outliers and relative contribution of rule to overall performance.\n\n## References\n1. Event condition action. (2019, Nov 21). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Event_condition_action).\n2. Business rule. (2023, April 10). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Business_rule).\n3. YARA. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/YARA).",
"rdfs:label": "Logical Rules",
"rdfs:subClassOf": {
"@id": "d3f:SymbolicLogic"
}
},
{
"@id": "d3f:InputDeviceAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:InputDeviceAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:InputDevice"
},
"d3f:d3fend-id": "D3-IDA",
"d3f:definition": "Operating system level mechanisms to prevent abusive input device exploitation.",
"d3f:kb-article": "## How it works\n\nInput Device Hardening techniques filter certain commands, or disable related operating system functionality.\n\n### Analytics\n\nAll of these values can be analyzed and compared to a baseline:\n\n* Amount of input\n* Duration of a single input\n* Durations between inputs\n* Value of input\n\nContext can also include:\n\n* User which is logged in, to include attributes such as physical location of the user\n* Date and time\n* System which is processing the input\n* Source device of input, to include its properties (eg. manufacturer), configuration (eg. keyboard layout) and behavioral attributes of this device (eg. first use)\n* Source system of input (local or remote system)\n* Other hardware devices attached to the system\n\n\n### Actions\n\nActions can include:\n\n* Disabling the source device\n* Sending an alert\n* Locking the current session (eg. system screen lock, or returning to an authentication screen in a web app) and requiring one or more methods of authentication to continue\n* Administratively disabling credentials for the account or the entire account -- the technique *Account Locking*\n\n\n### Examples\nA malicious input device sends many keystrokes with approximately the same delay between each. This does not match the normal cadence of input, and the device is disabled.\n\nInput to type the session user's name takes abnormally longer for each keystroke. The system is locked to the password prompt screen.\n\nA system receives key press events from two different devices -- one device sends keystrokes after the other has been idle for a long time.\n\nA system receives physical input in a user session, while that user has sent input from a device located out of the country in the past hour.\n\nNetwork traffic is suddenly routed through a new external device, and nearly the same volume of network traffic is subsequently sent out the previously existing interface. The new external device is disabled, and an alert is raised to investigate the network configuration for a potential compromise.\n\n\n## Considerations\n\nGiven some example of legitimate behavioral input patterns, attackers could mimic those input patterns, a technique which has been used in popular culture in the creation of Deepfake videos and [This Person Does Not Exist](https://thispersondoesnotexist.com).",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics"
},
{
"@id": "d3f:Reference-ContinuousAuthenticationByAnalysisOfKeyboardTypingCharacteristics_BradfordUniv.,UK"
}
],
"rdfs:label": "Input Device Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:OperatingSystemMonitoring"
},
{
"@id": "_:Ncdb2065a8f6843f2a8c7edfa2e7f63d1"
}
]
},
{
"@id": "_:Ncdb2065a8f6843f2a8c7edfa2e7f63d1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:InputDevice"
}
},
{
"@id": "d3f:CWE-96",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-96",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.",
"rdfs:label": "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-94"
}
},
{
"@id": "d3f:AddressSpace",
"@type": "owl:Class",
"d3f:definition": "An address space defines a range of discrete addresses, each of which may correspond to a network host, peripheral device, disk sector, a memory cell or other logical or physical entity. For software programs to save and retrieve stored data, each unit of data must have an address where it can be located. The number of address spaces available depends on the underlying address structure, which is usually limited by the computer architecture being used.",
"rdfs:isDefinedBy": {
"@id": "https://dbpedia.org/page/Address_space"
},
"rdfs:label": "Address Space",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:CWE-1275",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1275",
"d3f:definition": "The SameSite attribute for sensitive cookies is not set, or an insecure value is used.",
"rdfs:label": "Sensitive Cookie with Improper SameSite Attribute",
"rdfs:subClassOf": {
"@id": "d3f:CWE-923"
}
},
{
"@id": "d3f:CWE-754",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-754",
"d3f:definition": "The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.",
"rdfs:label": "Improper Check for Unusual or Exceptional Conditions",
"rdfs:subClassOf": {
"@id": "d3f:CWE-703"
}
},
{
"@id": "d3f:FileDecryptionEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a previously encrypted file is decoded, rendering its content accessible to authorized users or processes.",
"rdfs:label": "File Decryption Event",
"rdfs:subClassOf": [
{
"@id": "d3f:FileEvent"
},
{
"@id": "_:N299ee783ae8640e1a69e7f5f913bf10a"
}
]
},
{
"@id": "_:N299ee783ae8640e1a69e7f5f913bf10a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:FileEncryptionEvent"
}
},
{
"@id": "d3f:T1553.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1553.001",
"d3f:definition": "Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )",
"d3f:modifies": {
"@id": "d3f:FileSystemMetadata"
},
"rdfs:label": "Gatekeeper Bypass",
"rdfs:subClassOf": [
{
"@id": "d3f:T1553"
},
{
"@id": "_:Ndedb4ef2c1514ed8b4da47d8cbc8e7b6"
}
]
},
{
"@id": "_:Ndedb4ef2c1514ed8b4da47d8cbc8e7b6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:FileSystemMetadata"
}
},
{
"@id": "d3f:CWE-676",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-676",
"d3f:definition": "The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.",
"rdfs:label": "Use of Potentially Dangerous Function",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1177"
}
},
{
"@id": "d3f:PrivateKey",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A private key can be used to decrypt messages encrypted using the corresponding public key, or used to sign a message that can be authenticated with the corresponding public key.",
"rdfs:label": "Private Key",
"rdfs:seeAlso": {
"@id": "dbr:Public-key_cryptography"
},
"rdfs:subClassOf": {
"@id": "d3f:AsymmetricKey"
}
},
{
"@id": "d3f:RegOpenKeyW",
"@type": [
"owl:NamedIndividual",
"d3f:GetSystemConfigValue"
],
"rdfs:label": "RegOpenKeyW"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-4_1",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Nonlocal Maintenance | Logging and Review",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:LocalAccountMonitoring"
},
"rdfs:label": "MA-4(1)"
},
{
"@id": "d3f:CWE-117",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-117",
"d3f:definition": "The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.",
"d3f:synonym": "Log forging",
"rdfs:label": "Improper Output Neutralization for Logs",
"rdfs:subClassOf": {
"@id": "d3f:CWE-116"
}
},
{
"@id": "d3f:Reference-DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20150264078A1"
},
"d3f:kb-abstract": "A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.",
"d3f:kb-author": "Nicolas BEAUCHESNE; Sungwook Yoon",
"d3f:kb-mitre-analysis": "This patent describes detecting an attacker performing internal reconnaissance within an organization's network to gather intelligence about the configuration of the network or identify the next target. Network packets are collected (ex. tapped from a network switch) and processed to create flows that are used to map out the network to identify network assets as well as ghost assets (addresses not assigned to a device or an existing device that is temporarily disabled). Once this mapping is complete it is used to monitor the network to determine if an attacker is attempting to connect to a ghost asset. If an attacker attempts to connect to a ghost asset over a threshold (ex. contacting four ghost assets in less than seven minutes), an alert is generated.",
"d3f:kb-organization": "VECTRA NETWORKS Inc",
"d3f:kb-reference-of": {
"@id": "d3f:ConnectionAttemptAnalysis"
},
"d3f:kb-reference-title": "Detecting network reconnaissance by tracking intranet dark-net communications",
"rdfs:label": "Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Inc"
},
{
"@id": "d3f:CWE-939",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-939",
"d3f:definition": "The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.",
"rdfs:label": "Improper Authorization in Handler for Custom URL Scheme",
"rdfs:subClassOf": {
"@id": "d3f:CWE-862"
}
},
{
"@id": "d3f:Maximum-marginLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-MML",
"d3f:definition": "Maximum-margin classifiers attempt to maximize the distance between the given data points and the decision boundary",
"d3f:kb-article": "## References\nEngelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).\n\nSupport Vector Machines for Machine Learning. [Link](https://machinelearningmastery.com/support-vector-machines-for-machine-learning/#:~:text=The%20distance%20between%20the%20line,called%20the%20Maximal%2DMargin%20hyperplane.)",
"rdfs:label": "Maximum-margin Learning",
"rdfs:subClassOf": {
"@id": "d3f:IntrinsicallySemi-supervisedLearning"
}
},
{
"@id": "d3f:DeleteFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Remove a file from a machine.",
"d3f:deletes": {
"@id": "d3f:File"
},
"rdfs:label": "Delete File",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N918cfd80607742f39722c1eafc0c16fd"
}
]
},
{
"@id": "_:N918cfd80607742f39722c1eafc0c16fd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:deletes"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3_10",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Malicious Code Protection | Malicious Code Analysis",
"d3f:exactly": {
"@id": "d3f:DynamicAnalysis"
},
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "SI-3(10)"
},
{
"@id": "d3f:CWE-122",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-122",
"d3f:definition": "A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().",
"rdfs:label": "Heap-based Buffer Overflow",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-787"
},
{
"@id": "d3f:CWE-788"
}
]
},
{
"@id": "d3f:TransducerSensor",
"@type": "owl:Class",
"d3f:definition": "A Transducer Sensor converts physical signals into digital data for monitoring purposes.",
"rdfs:label": "Transducer Sensor",
"rdfs:subClassOf": {
"@id": "d3f:Sensor"
}
},
{
"@id": "d3f:FileAccessPatternAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FileAccessPatternAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:LocalResourceAccess"
},
"d3f:d3fend-id": "D3-FAPA",
"d3f:definition": "Analyzing the files accessed by a process to identify unauthorized activity.",
"d3f:kb-article": "## How it works\nFile modifying malware such as wipers and ransomware are detected by identifying file access patterns that are associated with a malicious process. Examples of file access patterns include accessing a large number of files, accessing multiple file types, files being accessed located in multiple locations in a directory, and copying a file and encrypting the contents of that file into a copy.\n\n## Considerations\nCertain file access actions may not be statistically different from authorized activity.",
"d3f:kb-reference": {
"@id": "d3f:Reference-File-modifyingMalwareDetection_CrowdstrikeInc"
},
"rdfs:label": "File Access Pattern Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessAnalysis"
},
{
"@id": "_:Nc3394686ebb848e0933ceacd8f3a3e33"
}
]
},
{
"@id": "_:Nc3394686ebb848e0933ceacd8f3a3e33",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:LocalResourceAccess"
}
},
{
"@id": "d3f:CCI-000067_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:RemoteTerminalSessionDetection"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system monitors remote access methods.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-14T00:00:00"
},
"rdfs:label": "CCI-000067"
},
{
"@id": "d3f:T1001.003",
"@type": "owl:Class",
"d3f:attack-id": "T1001.003",
"d3f:definition": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.",
"rdfs:label": "Protocol or Service Impersonation",
"rdfs:subClassOf": {
"@id": "d3f:T1001"
}
},
{
"@id": "d3f:CWE-644",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-644",
"d3f:definition": "The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.",
"rdfs:label": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"rdfs:subClassOf": {
"@id": "d3f:CWE-116"
}
},
{
"@id": "d3f:ConfigurationModificationEvent",
"@type": "owl:Class",
"d3f:definition": "An event that changes the persisted state of configuration resources by adding, updating, or removing parameters, impacting the target component's behavior.",
"rdfs:label": "Configuration Modification Event",
"rdfs:subClassOf": {
"@id": "d3f:ConfigurationEvent"
}
},
{
"@id": "d3f:CWE-412",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-412",
"d3f:definition": "The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.",
"rdfs:label": "Unrestricted Externally Accessible Lock",
"rdfs:subClassOf": {
"@id": "d3f:CWE-667"
}
},
{
"@id": "d3f:TA0006",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:OffensiveTactic"
],
"d3f:definition": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
"d3f:display-order": 6,
"rdfs:label": "Credential Access",
"rdfs:subClassOf": [
{
"@id": "d3f:ATTACKEnterpriseTactic"
},
{
"@id": "d3f:OffensiveTactic"
}
]
},
{
"@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20160191559A1"
},
"d3f:kb-abstract": "Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.",
"d3f:kb-author": "Himanshu Mhatre; David Lopes Pegna; Oliver Brdiczka",
"d3f:kb-mitre-analysis": "The patent describes an insider threat detection system that analyzes packets sent within a network to identify and isolate malicious behavior. Current network traffic is collected and developed into a baseline that establishes the amount of data sent and received between a specific asset and a host. Current data transfer values are then compared with the baseline to identify anomalies.",
"d3f:kb-organization": "VECTRA NETWORKS Inc",
"d3f:kb-reference-of": {
"@id": "d3f:UserDataTransferAnalysis"
},
"d3f:kb-reference-title": "System for implementing threat detection using threat and risk assessment of asset-actor interactions",
"rdfs:label": "Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc"
},
{
"@id": "d3f:IdentifierReputationAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IdentifierReputationAnalysis"
],
"d3f:d3fend-id": "D3-IRA",
"d3f:definition": "Analyzing the reputation of an identifier.",
"d3f:kb-reference": {
"@id": "d3f:Reference-Finding_phishing_sites"
},
"rdfs:label": "Identifier Reputation Analysis",
"rdfs:subClassOf": {
"@id": "d3f:IdentifierAnalysis"
}
},
{
"@id": "d3f:SystemDependency",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A system dependency indicates a system has an activity, agent, or another system which relies on it in order to be functional.",
"rdfs:label": "System Dependency",
"rdfs:seeAlso": [
{
"@id": "https://dl.acm.org/doi/10.1145/960116.53994"
},
{
"@id": "https://r-docs.synapse.org/articles/systemDependencies.html"
},
{
"@id": "https://www.ibm.com/docs/en/taddm/7.3.0?topic=model-dependencies-between-resources"
}
],
"rdfs:subClassOf": {
"@id": "d3f:Dependency"
}
},
{
"@id": "d3f:CWE-620",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-620",
"d3f:definition": "When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.",
"rdfs:label": "Unverified Password Change",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1390"
}
},
{
"@id": "d3f:PartitionTable",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:addresses": {
"@id": "d3f:Partition"
},
"d3f:definition": "A partition is a fixed-size subset of a storage device which is treated as a unit by the operating system. A partition table is a table maintained on the storage device by the operating system describing the partitions on that device. The terms partition table and partition map are most commonly associated with the MBR partition table of a Master Boot Record (MBR) in IBM PC compatibles, but it may be used generically to refer to other \"formats\" that divide a disk drive into partitions, such as: GUID Partition Table (GPT), Apple partition map (APM), or BSD disklabel.",
"d3f:may-contain": {
"@id": "d3f:BootRecord"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Partition_table"
},
"rdfs:label": "Partition Table",
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N800c7441a32348d7b217b5c2fb12e3d1"
},
{
"@id": "_:Nad5afd2f90ef4c0eb1e03ec0cec6f4f7"
}
]
},
{
"@id": "_:N800c7441a32348d7b217b5c2fb12e3d1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:addresses"
},
"owl:someValuesFrom": {
"@id": "d3f:Partition"
}
},
{
"@id": "_:Nad5afd2f90ef4c0eb1e03ec0cec6f4f7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:BootRecord"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_11",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Access Enforcement | Restrict Access to Specific Information Types",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-3(11)"
},
{
"@id": "d3f:d3fend-annotation",
"@type": "owl:AnnotationProperty",
"d3f:definition": "x d3fend-annotation y: The d3fend object x has the annotation y.",
"rdfs:label": "d3fend-annotation",
"rdfs:subPropertyOf": {
"@id": "owl:versionInfo"
}
},
{
"@id": "d3f:CWE-195",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-195",
"d3f:definition": "The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.",
"rdfs:label": "Signed to Unsigned Conversion Error",
"rdfs:subClassOf": {
"@id": "d3f:CWE-681"
}
},
{
"@id": "d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-09-005/"
},
"d3f:kb-abstract": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:SystemInitConfigAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-09-005: AppInit DLLs",
"rdfs:label": "Reference - CAR-2020-09-005: AppInit DLLs - MITRE"
},
{
"@id": "d3f:CCI-001237_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:SoftwareUpdate"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001237"
},
{
"@id": "d3f:RDPInitialResponseEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an RDP server responds to an initial request from a client, presenting its supported capabilities and agreeing to proceed with session negotiation.",
"rdfs:label": "RDP Initial Response Event",
"rdfs:subClassOf": [
{
"@id": "d3f:RDPEvent"
},
{
"@id": "_:N5f35e335511c41ba882cb7f2668ca796"
}
]
},
{
"@id": "_:N5f35e335511c41ba882cb7f2668ca796",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:RDPInitialRequestEvent"
}
},
{
"@id": "d3f:CCI-001414_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-24T00:00:00"
},
"rdfs:label": "CCI-001414"
},
{
"@id": "d3f:DNSEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving the Domain Name System (DNS), which translates domain names to IP addresses and operates over UDP and TCP.",
"rdfs:label": "DNS Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/dns_activity"
},
"rdfs:subClassOf": [
{
"@id": "d3f:ApplicationLayerEvent"
},
{
"@id": "_:N9a492eec8d614ecbae3edf6b7ae0f478"
},
{
"@id": "_:N254f6c40e3b94f7994e4174770e7ebd1"
}
]
},
{
"@id": "_:N9a492eec8d614ecbae3edf6b7ae0f478",
"@type": "owl:Class",
"owl:unionOf": {
"@list": [
{
"@id": "d3f:TCPEvent"
},
{
"@id": "d3f:UDPEvent"
}
]
}
},
{
"@id": "_:N254f6c40e3b94f7994e4174770e7ebd1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:DNSNetworkTraffic"
}
},
{
"@id": "d3f:BayesOptimalClassifier",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BOC",
"d3f:definition": "A probabilistic model that makes the most probable prediction for a new example.",
"d3f:kb-article": "## References\nBayes Optimal Classifier. Machine Learning Mastery. [Link](https://machinelearningmastery.com/bayes-optimal-classifier/).\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).",
"rdfs:label": "Bayes Optimal Classifier",
"rdfs:subClassOf": {
"@id": "d3f:EnsembleLearning"
}
},
{
"@id": "d3f:CWE-202",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-202",
"d3f:definition": "When trying to keep information confidential, an attacker can often infer some of the information by using statistics.",
"rdfs:label": "Exposure of Sensitive Information Through Data Queries",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1230"
}
},
{
"@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/GB2318031A"
},
"d3f:kb-abstract": "A proxy which is part of a firewall controls exchanges of information between two application entities. The proxy interrogates attempts to establish a communication session by requesting entities with a server entity in lower layers in accordance with defined authentication procedures. The Proxy interfaces with networking software to direct a communication stack to monitor connection requests to any address on specific ports. The requestor's address, and the server's address are checked against a access control list. If either address is invalid, the proxy closes the connection. If both are valid, a new connection is setup such that both the requestor and server are transparently connected to the proxy with variable higher levels being connected in a relay mode. Protocol data units are interrogated for conformance to a protocol session, and optionally further decoded to add additional application specific filtering. In one embodiment, an OSI architecture comprises the levels.",
"d3f:kb-author": "Michael W Green, Ricky Ronald Kruse",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Secure Computing LLC",
"d3f:kb-reference-of": {
"@id": "d3f:InboundTrafficFiltering"
},
"d3f:kb-reference-title": "Network firewall with proxy",
"rdfs:label": "Reference - Network firewall with proxy - Secure Computing LLC"
},
{
"@id": "d3f:CWE-489",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-489",
"d3f:definition": "The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.",
"d3f:synonym": "Leftover debug code",
"rdfs:label": "Active Debug Code",
"rdfs:subClassOf": {
"@id": "d3f:CWE-710"
}
},
{
"@id": "d3f:ComputerNetworkNode",
"@type": "owl:Class",
"d3f:definition": "A network node running on a computer platform.",
"rdfs:label": "Computer Network Node",
"rdfs:subClassOf": [
{
"@id": "d3f:ComputerPlatform"
},
{
"@id": "d3f:NetworkNode"
}
]
},
{
"@id": "d3f:RFNode",
"@type": "owl:Class",
"d3f:definition": "An RF Node is a device or component that participates in the transmission, reception, or processing of radio frequency (RF) signals within a wireless communication system.",
"rdfs:label": "RF Node",
"rdfs:subClassOf": {
"@id": "d3f:NetworkNode"
}
},
{
"@id": "d3f:T1099",
"@type": "owl:Class",
"d3f:attack-id": "T1099",
"d3f:definition": "Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1070.006",
"rdfs:label": "Timestomp",
"rdfs:seeAlso": "T1070.006",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:DeepNeuralNetClassification",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DNNC",
"d3f:definition": "A deep neural network (DNN) is an artificial neural network (ANN) with multiple layers between the input and output layers. There are different types of neural networks but they always consist of the same components: neurons, synapses, weights, biases, and functions. These components as a whole function similarly to a human brain, and can be trained like any other ML algorithm",
"d3f:kb-article": "## References\nDeep learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Deep_learning).",
"rdfs:label": "Deep Neural Network Classification",
"rdfs:subClassOf": {
"@id": "d3f:ArtificialNeuralNetClassification"
}
},
{
"@id": "d3f:CWE-263",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-263",
"d3f:definition": "The product supports password aging, but the expiration period is too long.",
"rdfs:label": "Password Aging with Long Expiration",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1390"
}
},
{
"@id": "d3f:may-query",
"@type": "owl:ObjectProperty",
"rdfs:label": "may-query",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:Reference-PointerValidationFunction_SEI",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://wiki.sei.cmu.edu/confluence/display/c/MEM10-C.+Define+and+use+a+pointer+validation+function"
},
"d3f:kb-organization": "Software Engineering Institute",
"d3f:kb-reference-of": [
{
"@id": "d3f:NullPointerChecking"
},
{
"@id": "d3f:PointerValidation"
}
],
"d3f:kb-reference-title": "SEI CERT C Coding Standard",
"rdfs:label": "Reference - Pointer Validation Function - SEI"
},
{
"@id": "d3f:CWE-308",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-308",
"d3f:definition": "The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.",
"rdfs:label": "Use of Single-factor Authentication",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1390"
},
{
"@id": "d3f:CWE-654"
}
]
},
{
"@id": "d3f:LocalFilePermissions",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:LocalFilePermissions"
],
"d3f:d3fend-id": "D3-LFP",
"d3f:definition": "Local file permissions is the systematic process of defining, implementing, and managing access control policies that dictate user permissions for accessing files on a local system through the configuration of operating system functionality.",
"d3f:kb-reference": {
"@id": "d3f:Reference-FileAndFolderPermissions"
},
"d3f:restricts": [
{
"@id": "d3f:Directory"
},
{
"@id": "d3f:File"
}
],
"rdfs:label": "Local File Permissions",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessPolicyAdministration"
},
{
"@id": "_:N24e5e82d060148088e10d641d4615e7d"
},
{
"@id": "_:N11e64e8c605a4b9c85f0e8a1accb6e49"
}
]
},
{
"@id": "_:N24e5e82d060148088e10d641d4615e7d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricts"
},
"owl:someValuesFrom": {
"@id": "d3f:Directory"
}
},
{
"@id": "_:N11e64e8c605a4b9c85f0e8a1accb6e49",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricts"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:Semi-supervisedSelf-training",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSST",
"d3f:definition": "Self-training is the procedure in which a supervised method for classification or regression is modified it to work in a semi-supervised manner, taking advantage of labeled and unlabeled data",
"d3f:kb-article": "## References\nAltexSoft. (n.d.). Semi-Supervised Learning: A Technical Guide with Python Examples. [Link](https://www.altexsoft.com/blog/semi-supervised-learning/#:~:text=One%20of%20the%20simplest%20examples,of%20labeled%20and%20unlabeled%20data.)",
"rdfs:label": "Semi-supervised Self-training",
"rdfs:subClassOf": {
"@id": "d3f:Semi-supervisedWrapperMethod"
}
},
{
"@id": "d3f:Reference-IntroductoryComputerForensics",
"@type": [
"owl:NamedIndividual",
"d3f:BookReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://core.ac.uk/download/pdf/326762883.pdf"
},
"d3f:kb-author": "Xiaodong Lin",
"d3f:kb-reference-of": {
"@id": "d3f:FileMetadataValueVerification"
},
"d3f:kb-reference-title": "Introductory Computer Forensics",
"rdfs:label": "Reference - Introductory Computer Forensics"
},
{
"@id": "d3f:CWE-708",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-708",
"d3f:definition": "The product assigns an owner to a resource, but the owner is outside of the intended control sphere.",
"rdfs:label": "Incorrect Ownership Assignment",
"rdfs:subClassOf": {
"@id": "d3f:CWE-282"
}
},
{
"@id": "d3f:CryptographicKey",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other cryptographic algorithms, such as digital signature schemes and message authentication codes.",
"rdfs:isDefinedBy": {
"@id": "dbr:Public-key_cryptography"
},
"rdfs:label": "Cryptographic Key",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformation"
}
},
{
"@id": "d3f:CWE-463",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-463",
"d3f:definition": "The accidental deletion of a data-structure sentinel can cause serious programming logic problems.",
"rdfs:label": "Deletion of Data Structure Sentinel",
"rdfs:subClassOf": {
"@id": "d3f:CWE-707"
}
},
{
"@id": "d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20150319136A1"
},
"d3f:kb-abstract": "In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.",
"d3f:kb-author": "Huagang Xie; Xinran Wang; Jiangxia Liu",
"d3f:kb-mitre-analysis": "This patent describes a VM sandbox environment that uses heuristic based analysis techniques performed in real-time during a file transfer to determine if the file is malicious. A new signature can then be generated and distributed to automatically block future file transfer requests to download the malicious file.",
"d3f:kb-organization": "Palo Alto Networks Inc",
"d3f:kb-reference-of": {
"@id": "d3f:DynamicAnalysis"
},
"d3f:kb-reference-title": "Malware analysis system",
"rdfs:label": "Reference - Malware analysis system - Palo Alto Networks Inc"
},
{
"@id": "d3f:used-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x used-by y: is inverse of y uses x.",
"owl:inverseOf": {
"@id": "d3f:uses"
},
"rdfs:label": "used-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:NetworkAccessMediation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:NetworkAccessMediation"
],
"d3f:d3fend-id": "D3-NAM",
"d3f:definition": "Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.",
"d3f:isolates": {
"@id": "d3f:Network"
},
"d3f:kb-article": "## How it works\n\nNetwork Access Mediation is a crucial process in telecommunications and IT networks that involves controlling access to network resources. It acts as an intermediary layer between network access requests and the actual network resources, ensuring that only authorized users and devices can access the network.",
"d3f:kb-reference": {
"@id": "d3f:Reference-WhatIsNetworkAccessControl"
},
"d3f:synonym": "Network Access Control",
"rdfs:label": "Network Access Mediation",
"rdfs:seeAlso": {
"@id": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf"
},
"rdfs:subClassOf": [
{
"@id": "d3f:AccessMediation"
},
{
"@id": "_:N42d7bfc7253243ed83910452a9abc5fb"
}
]
},
{
"@id": "_:N42d7bfc7253243ed83910452a9abc5fb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:Network"
}
},
{
"@id": "d3f:T1202",
"@type": "owl:Class",
"d3f:attack-id": "T1202",
"d3f:definition": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)",
"rdfs:label": "Indirect Command Execution",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:WindowsNtCreateMailslotFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Creates a special File Object called Mailslot.",
"rdfs:label": "Windows NtCreateMailslotFile",
"rdfs:seeAlso": {
"@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
},
"rdfs:subClassOf": {
"@id": "d3f:OSAPICreateFile"
}
},
{
"@id": "d3f:CCI-000193_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces password complexity by the minimum number of lower case characters used.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:StrongPasswordPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-15T00:00:00"
},
"rdfs:label": "CCI-000193"
},
{
"@id": "d3f:CCI-001352_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001352"
},
{
"@id": "d3f:T1177",
"@type": "owl:Class",
"d3f:attack-id": "T1177",
"d3f:definition": "The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1547.008",
"rdfs:label": "LSASS Driver",
"rdfs:seeAlso": "T1547.008",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutionTechnique"
},
{
"@id": "d3f:PersistenceTechnique"
}
]
},
{
"@id": "d3f:T1204.004",
"@type": "owl:Class",
"d3f:attack-id": "T1204.004",
"d3f:definition": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).",
"rdfs:label": "Malicious Copy and Paste",
"rdfs:subClassOf": {
"@id": "d3f:T1204"
}
},
{
"@id": "d3f:DS0039",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Data sources with information about the set of devices found within the network, along with their current software and configurations",
"d3f:exactly": {
"@id": "d3f:AssetInventoryAgent"
},
"rdfs:label": "Asset (ATT&CK DS)"
},
{
"@id": "d3f:T1583",
"@type": "owl:Class",
"d3f:attack-id": "T1583",
"d3f:definition": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.",
"rdfs:label": "Acquire Infrastructure",
"rdfs:subClassOf": {
"@id": "d3f:ResourceDevelopmentTechnique"
}
},
{
"@id": "d3f:instructed-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x instructed-by y: A subject x takes machine instructions from object y.",
"rdfs:label": "instructed-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:CCI-001094_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001094"
},
{
"@id": "d3f:T1066",
"@type": "owl:Class",
"d3f:attack-id": "T1066",
"d3f:definition": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1027.005",
"rdfs:label": "Indicator Removal from Tools",
"rdfs:seeAlso": "T1027.005",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:CWE-577",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-577",
"d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using sockets.",
"rdfs:label": "EJB Bad Practices: Use of Sockets",
"rdfs:subClassOf": {
"@id": "d3f:CWE-573"
}
},
{
"@id": "d3f:ApplicationStartEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an application transitions from an inactive state to an active state, initializing its resources and becoming operational for user interaction or automated processes.",
"rdfs:label": "Application Start Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ApplicationEvent"
},
{
"@id": "_:N38b0dac5517f470d9da81427ef62c1fe"
}
]
},
{
"@id": "_:N38b0dac5517f470d9da81427ef62c1fe",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ApplicationInstallationEvent"
}
},
{
"@id": "d3f:WirelessRouter",
"@type": "owl:Class",
"d3f:definition": "A wireless router is a device that performs the functions of a router and also includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, in a wireless-only LAN, or in a mixed wired and wireless network.",
"rdfs:isDefinedBy": {
"@id": "dbr:Wireless_router"
},
"rdfs:label": "Wireless Router",
"rdfs:subClassOf": [
{
"@id": "d3f:Router"
},
{
"@id": "d3f:WirelessAccessPoint"
}
]
},
{
"@id": "d3f:BootRecord",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A d3f:Record which is an essential component of the early boot (system initialization) process.",
"rdfs:label": "Boot Record",
"rdfs:subClassOf": {
"@id": "d3f:Record"
}
},
{
"@id": "d3f:OTPauseCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Commands a device to pause a service/program.",
"rdfs:label": "OT Pause Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
},
{
"@id": "_:N25765514fc9943b2bb77d7ba0c1b320c"
},
{
"@id": "_:Nfdbab4302cf54ed9b4b03e35b939473a"
},
{
"@id": "_:N2c6c8720d85a45f0a95049fec268caaf"
}
]
},
{
"@id": "_:N25765514fc9943b2bb77d7ba0c1b320c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTPauseCommand"
}
},
{
"@id": "_:Nfdbab4302cf54ed9b4b03e35b939473a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingMode"
}
},
{
"@id": "_:N2c6c8720d85a45f0a95049fec268caaf",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:OTRunCommandEvent"
}
},
{
"@id": "d3f:PhysicalLinkDisableEvent",
"@type": "owl:Class",
"d3f:definition": "An administrator issues a shutdown or disable command, forcing the link out of service regardless of signal status.",
"rdfs:label": "Physical Link Disable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:PhysicalLinkEvent"
},
{
"@id": "_:Nf1486bdc72b843adb2c3d86cede3f454"
}
]
},
{
"@id": "_:Nf1486bdc72b843adb2c3d86cede3f454",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:PhysicalLinkUpEvent"
}
},
{
"@id": "d3f:CWE-116",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-116",
"d3f:definition": "The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.",
"d3f:synonym": [
"Output Encoding",
"Output Sanitization",
"Output Validation"
],
"rdfs:label": "Improper Encoding or Escaping of Output",
"rdfs:subClassOf": {
"@id": "d3f:CWE-707"
}
},
{
"@id": "d3f:SerializationFunction",
"@type": "owl:Class",
"d3f:definition": "A function which has an operation that serializes data.",
"rdfs:label": "Serialization Function",
"rdfs:subClassOf": {
"@id": "d3f:Subroutine"
}
},
{
"@id": "d3f:OSAPIReadFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that reads data from a file or input stream into memory.",
"d3f:invokes": {
"@id": "d3f:ReadFile"
},
"rdfs:label": "OS API Read File",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:N63335c475a3b45fdb88cc0dc6794c38a"
}
]
},
{
"@id": "_:N63335c475a3b45fdb88cc0dc6794c38a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:ReadFile"
}
},
{
"@id": "d3f:CWE-572",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-572",
"d3f:definition": "The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.",
"rdfs:label": "Call to Thread run() instead of start()",
"rdfs:subClassOf": {
"@id": "d3f:CWE-821"
}
},
{
"@id": "d3f:OutputDevice",
"@type": "owl:Class",
"d3f:definition": "An output device is any piece of computer hardware equipment which converts information into human-readable form. It can be text, graphics, tactile, audio, and video. Some of the output devices are Visual Display Units (VDU) i.e. a Monitor, Printer, Graphic Output devices, Plotters, Speakers etc. A new type of Output device is been developed these days, known as Speech synthesizer, a mechanism attached to the computer which produces verbal output sounding almost like human speeches.",
"rdfs:isDefinedBy": {
"@id": "dbr:Output_device"
},
"rdfs:label": "Output Device",
"rdfs:subClassOf": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:GetOpenSockets",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:enumerates": {
"@id": "d3f:Pipe"
},
"rdfs:label": "Get Open Sockets",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N7bf4950af290464b9d3202130dfa9d55"
}
]
},
{
"@id": "_:N7bf4950af290464b9d3202130dfa9d55",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enumerates"
},
"owl:someValuesFrom": {
"@id": "d3f:Pipe"
}
},
{
"@id": "d3f:DISA_FSO",
"@type": [
"owl:NamedIndividual",
"d3f:Organization"
],
"d3f:definition": "Defense Information Systems Agency (DISA) Field Security Office (FSO)",
"rdfs:label": "DISA FSO"
},
{
"@id": "d3f:validates",
"@type": "owl:ObjectProperty",
"d3f:definition": "x validates y: The technique x proves the digital artifact y is valid; that is, x shows or confirms the validity of y.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00669142-v"
},
"rdfs:label": "validates",
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:hardens"
}
]
},
{
"@id": "d3f:SetSystemConfigValue",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:modifies": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
"rdfs:label": "Set System Config Value",
"rdfs:seeAlso": {
"@id": "https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetvalueexa"
},
"rdfs:subClassOf": [
{
"@id": "d3f:SystemConfigSystemCall"
},
{
"@id": "_:Nee7389932d7b46e6bfc357814583cbb0"
}
]
},
{
"@id": "_:Nee7389932d7b46e6bfc357814583cbb0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
}
},
{
"@id": "d3f:CWE-7",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-7",
"d3f:definition": "The default error page of a web application should not display sensitive information about the product.",
"rdfs:label": "J2EE Misconfiguration: Missing Custom Error Page",
"rdfs:subClassOf": {
"@id": "d3f:CWE-756"
}
},
{
"@id": "d3f:OTEstablishRemoteConnectionCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Used to establish an TCP/IP Connection to the target device.",
"rdfs:label": "OT Establish Remote Connection Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTConnectionCommandEvent"
},
{
"@id": "_:Nd7cb1d68fcbe4ca5ae16125f5bac0db4"
}
]
},
{
"@id": "_:Nd7cb1d68fcbe4ca5ae16125f5bac0db4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTEstablishRemoteConnectionCommand"
}
},
{
"@id": "d3f:process-command-line-arguments",
"@type": "owl:DatatypeProperty",
"d3f:definition": "x process-command-line-arguments y: The process x has the process command line arguments data y.",
"rdfs:label": "process-command-line-arguments",
"rdfs:subPropertyOf": {
"@id": "d3f:process-data-property"
}
},
{
"@id": "d3f:T1564.010",
"@type": "owl:Class",
"d3f:attack-id": "T1564.010",
"d3f:definition": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)",
"rdfs:label": "Process Argument Spoofing",
"rdfs:subClassOf": {
"@id": "d3f:T1564"
}
},
{
"@id": "d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US8214364B2"
},
"d3f:kb-abstract": "Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.",
"d3f:kb-author": "Joseph P. Bigus, Leon Gong, Christoph Lingenfelder",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Daedalus Group LLC (formerly IBM)",
"d3f:kb-reference-of": {
"@id": "d3f:ResourceAccessPatternAnalysis"
},
"d3f:kb-reference-title": "Modeling user access to computer resources",
"rdfs:label": "Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)"
},
{
"@id": "d3f:WindowsRegistryKeyExportEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the export of registry key data from the Windows Registry to an external file or format.",
"rdfs:label": "Windows Registry Key Export Event",
"rdfs:subClassOf": [
{
"@id": "d3f:WindowsRegistryKeyEvent"
},
{
"@id": "_:Nec9271d7041743808b637011177a133a"
}
]
},
{
"@id": "_:Nec9271d7041743808b637011177a133a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryKeyCreationEvent"
}
},
{
"@id": "d3f:ATTACKEnterpriseTactic",
"@type": "owl:Class",
"rdfs:label": "ATTACK Enterprise Tactic",
"rdfs:subClassOf": {
"@id": "d3f:ATTACKEnterpriseThing"
}
},
{
"@id": "d3f:T1068",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1068",
"d3f:definition": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.",
"d3f:enables": {
"@id": "d3f:TA0004"
},
"d3f:may-modify": {
"@id": "d3f:StackFrame"
},
"d3f:modifies": {
"@id": "d3f:ProcessCodeSegment"
},
"rdfs:label": "Exploitation for Privilege Escalation",
"rdfs:subClassOf": [
{
"@id": "d3f:PrivilegeEscalationTechnique"
},
{
"@id": "_:N4679636aca634e81b833943bda80e7e2"
},
{
"@id": "_:Ne6d34d7a183f41e3bafd03fd40de5f29"
},
{
"@id": "_:N9b1810e625b14666bd9a951ad037d5c8"
}
]
},
{
"@id": "_:N4679636aca634e81b833943bda80e7e2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:TA0004"
}
},
{
"@id": "_:Ne6d34d7a183f41e3bafd03fd40de5f29",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:StackFrame"
}
},
{
"@id": "_:N9b1810e625b14666bd9a951ad037d5c8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessCodeSegment"
}
},
{
"@id": "d3f:CCI-000027_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces dynamic information flow control based on organization-defined policies.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-13T00:00:00"
},
"rdfs:label": "CCI-000027"
},
{
"@id": "d3f:Reference-DebuggersForAccessibilityApplications_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2014-11-006/"
},
"d3f:kb-abstract": "The Windows Registry location HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the \"Debugger\" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings \"sethc.exe\", \"utilman.exe\", \"osk.exe\", \"narrator.exe\", and \"Magnify.exe\" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.\n\nThis analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string \"sethc.exe\" being used as an argument for another application is unlikely, it still is a possibility.",
"d3f:kb-author": "MITRE",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessLineageAnalysis"
},
"d3f:kb-reference-title": "CAR-2014-11-003: Debuggers for Accessibility Applications",
"rdfs:label": "Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE"
},
{
"@id": "d3f:has-recipient",
"@type": "owl:ObjectProperty",
"d3f:definition": "x has_recipient y: An agent y is the intended recipient and decoder of the information contained in communication x.",
"rdfs:isDefinedBy": {
"@id": "http://www.ontologyrepository.com/CommonCoreOntologies/has_recipient"
},
"rdfs:label": "has-recipient",
"rdfs:seeAlso": [
{
"@id": "http://wordnet-rdf.princeton.edu/id/09651094-n"
},
{
"@id": "http://wordnet-rdf.princeton.edu/id/09788768-n"
}
],
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:OTControlCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Command and control the managed process.",
"rdfs:label": "OT Control Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTProcessDataCommandEvent"
},
{
"@id": "_:Nc9d1eccbd5d849a0a6db3fd2a5cbb719"
}
]
},
{
"@id": "_:Nc9d1eccbd5d849a0a6db3fd2a5cbb719",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTControlCommand"
}
},
{
"@id": "d3f:Kernel-basedProcessIsolation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:Kernel-basedProcessIsolation"
],
"d3f:d3fend-id": "D3-KBPI",
"d3f:definition": "Using kernel-level capabilities to isolate processes.",
"d3f:isolates": {
"@id": "d3f:Process"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-OverviewOfTheSeccompSandbox"
},
"rdfs:comment": "e.g. KVM",
"rdfs:label": "Kernel-based Process Isolation",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutionIsolation"
},
{
"@id": "_:N27baed4e4a0a4dc79e38535d79a7b080"
}
]
},
{
"@id": "_:N27baed4e4a0a4dc79e38535d79a7b080",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:PartialMatching",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PM",
"d3f:definition": "Partial string pattern matching is a special case of string pattern matching where one seeks to find a pattern within a larger string (text). It allows for the detection of patterns that occur as substrings or partial segments within the full string, rather than requiring an exact match across the entire string.",
"d3f:kb-article": [
"## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)",
"Numeric pattern matching is a method of matching some defined pattern specification against a numeric value."
],
"rdfs:label": "Partial Matching",
"rdfs:subClassOf": {
"@id": "d3f:StringPatternMatching"
}
},
{
"@id": "d3f:Reference-RDPConnectionDetection_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2013-07-002"
},
"d3f:kb-abstract": "The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.",
"d3f:kb-author": "MITRE",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:RemoteTerminalSessionDetection"
},
"d3f:kb-reference-title": "CAR-2013-07-002: RDP Connection Detection",
"rdfs:label": "Reference - CAR-2013-07-002: RDP Connection Detection - MITRE"
},
{
"@id": "d3f:IOModule",
"@type": "owl:Class",
"d3f:definition": "An I/O Module is a hardware device that translates signals between external sensors or actuators and control systems. It typically handles analog-to-digital (and vice versa) conversion, serving as the data interface that allows physical processes to be monitored and controlled by digital controllers.",
"rdfs:label": "I/O Module",
"rdfs:subClassOf": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:ParentProcess",
"@type": "owl:Class",
"d3f:definition": "In computing, a parent process is a process that has created one or more child processes.",
"rdfs:isDefinedBy": {
"@id": "dbr:Parent_process"
},
"rdfs:label": "Parent Process",
"rdfs:seeAlso": {
"@id": "dbr:Child_process"
},
"rdfs:subClassOf": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:Reference-CAR-2020-11-010%3ACMSTP_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-11-010/"
},
"d3f:kb-abstract": "CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-11-010: CMSTP",
"rdfs:label": "Reference - CAR-2020-11-010: CMSTP - MITRE"
},
{
"@id": "d3f:T1070.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1070.003",
"d3f:definition": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.",
"d3f:modifies": {
"@id": "d3f:CommandHistoryLog"
},
"rdfs:label": "Clear Command History",
"rdfs:subClassOf": [
{
"@id": "d3f:T1070"
},
{
"@id": "_:N99ac9b2ecf19463e9575e7eac4b05feb"
}
]
},
{
"@id": "_:N99ac9b2ecf19463e9575e7eac4b05feb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:CommandHistoryLog"
}
},
{
"@id": "d3f:AssetInventoryAgent",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An asset inventory agent is a software tool which captures and transmits information about the devices on a network, including their hostnames, MAC addresses, software they may be running, etc.",
"rdfs:label": "Asset Inventory Agent",
"rdfs:seeAlso": {
"@id": "https://www.ninjaone.com/blog/how-to-do-an-it-asset-inventory"
},
"rdfs:subClassOf": {
"@id": "d3f:NetworkAgent"
}
},
{
"@id": "d3f:ClusterAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-CA",
"d3f:definition": "Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense) to each other than to those in other groups (clusters).",
"d3f:kb-article": "## References\nCluster analysis. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Cluster_analysis)",
"rdfs:label": "Cluster Analysis",
"rdfs:subClassOf": {
"@id": "d3f:UnsupervisedLearning"
}
},
{
"@id": "d3f:OTProcessVariable",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Process variables are the current actual measurement of the physical characteristics of a system. Common process variables include but are not limited to Temperature, Pressure, Level, and Flow.",
"rdfs:label": "OT Process Variable",
"rdfs:seeAlso": {
"@id": "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en"
},
"rdfs:subClassOf": {
"@id": "d3f:OTLogicVariable"
},
"skos:example": "If the current temperature in a home is 82 degrees Fahrenheit, the process variable is 82 degrees."
},
{
"@id": "d3f:LinuxPtraceArgumentPTRACEPOKETEXT",
"@type": "owl:Class",
"d3f:definition": "Copy the word data to the address addr in the tracee's memory.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
},
"rdfs:label": "Linux Ptrace Argument PTRACE_POKETEXT",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIWriteMemory"
}
},
{
"@id": "d3f:T1134.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1134.001",
"d3f:copies": {
"@id": "d3f:AccessToken"
},
"d3f:definition": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.",
"rdfs:label": "Token Impersonation/Theft",
"rdfs:subClassOf": [
{
"@id": "d3f:T1134"
},
{
"@id": "_:N836c6caa1c9444f98392e230acdd8891"
}
]
},
{
"@id": "_:N836c6caa1c9444f98392e230acdd8891",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:copies"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessToken"
}
},
{
"@id": "d3f:CWE-148",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-148",
"d3f:definition": "The product does not properly handle when a leading character or sequence (\"leader\") is missing or malformed, or if multiple leaders are used when only one should be allowed.",
"rdfs:label": "Improper Neutralization of Input Leaders",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:T1147",
"@type": "owl:Class",
"d3f:attack-id": "T1147",
"d3f:definition": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 (Citation: Cybereason OSX Pirrit).",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1564.002",
"rdfs:label": "Hidden Users",
"rdfs:seeAlso": "T1564.002",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:DynamicAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DynamicAnalysis"
],
"d3f:analyzes": [
{
"@id": "d3f:DocumentFile"
},
{
"@id": "d3f:ExecutableFile"
}
],
"d3f:d3fend-id": "D3-DA",
"d3f:definition": "Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.",
"d3f:kb-article": "## How it works\nAnalyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled.\n\n## Considerations\n * Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider.\n * Malware can attempt to determine if it is being debugged, and change its behavior accordingly.\n * For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments.\n * Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment.\n\n## Implementations\n* Cuckoo Sandbox",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc"
},
{
"@id": "d3f:Reference-UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd"
}
],
"d3f:synonym": [
"Malware Detonation",
"Malware Sandbox"
],
"rdfs:label": "Dynamic Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:FileAnalysis"
},
{
"@id": "_:N4adc8f80828b42d4b7553cf416d98922"
},
{
"@id": "_:N5e38380aa2924ba197b48e9ae5f789ed"
}
]
},
{
"@id": "_:N4adc8f80828b42d4b7553cf416d98922",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:DocumentFile"
}
},
{
"@id": "_:N5e38380aa2924ba197b48e9ae5f789ed",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableFile"
}
},
{
"@id": "d3f:Hybrid-basedTransferLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-HBTL",
"d3f:definition": "This method creates an asymmetric mapping from the target to the source and takes into account bias issues of cross-domain correspondences.",
"d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).",
"rdfs:label": "Hybrid-based Transfer Learning",
"rdfs:subClassOf": {
"@id": "d3f:HomogenousTransferLearning"
}
},
{
"@id": "d3f:T1006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:Volume"
},
"d3f:attack-id": "T1006",
"d3f:definition": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)",
"rdfs:label": "Direct Volume Access",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "_:Naa4657edc22a47ada7b6ae31c2cdbfe6"
}
]
},
{
"@id": "_:Naa4657edc22a47ada7b6ae31c2cdbfe6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:Volume"
}
},
{
"@id": "d3f:CopyMemoryFunction",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:copies": {
"@id": "d3f:MemoryBlock"
},
"d3f:definition": "Copies a memory block from one location to another.",
"rdfs:label": "Copy Memory Function",
"rdfs:subClassOf": [
{
"@id": "d3f:Subroutine"
},
{
"@id": "_:N9767318fd10f490b939591325bd176b5"
}
]
},
{
"@id": "_:N9767318fd10f490b939591325bd176b5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:copies"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryBlock"
}
},
{
"@id": "d3f:CWE-159",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-159",
"d3f:definition": "The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.",
"rdfs:label": "Improper Handling of Invalid Use of Special Elements",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:T1021.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1021.004",
"d3f:creates": {
"@id": "d3f:SSHSession"
},
"d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.",
"d3f:produces": {
"@id": "d3f:AdministrativeNetworkTraffic"
},
"rdfs:label": "SSH",
"rdfs:subClassOf": [
{
"@id": "d3f:T1021"
},
{
"@id": "_:N6230a1704ef3450183bae8d26979f7c3"
},
{
"@id": "_:N237b7296a90c49e6902a70464048c8c4"
}
]
},
{
"@id": "_:N6230a1704ef3450183bae8d26979f7c3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:SSHSession"
}
},
{
"@id": "_:N237b7296a90c49e6902a70464048c8c4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:AdministrativeNetworkTraffic"
}
},
{
"@id": "d3f:CWE-50",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-50",
"d3f:definition": "The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
"rdfs:label": "Path Equivalence: '//multiple/leading/slash'",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-161"
},
{
"@id": "d3f:CWE-41"
}
]
},
{
"@id": "d3f:T1558.004",
"@type": "owl:Class",
"d3f:attack-id": "T1558.004",
"d3f:definition": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)",
"rdfs:label": "AS-REP Roasting",
"rdfs:subClassOf": {
"@id": "d3f:T1558"
}
},
{
"@id": "d3f:T1166",
"@type": "owl:Class",
"d3f:attack-id": "T1166",
"d3f:definition": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1548.001",
"rdfs:label": "Setuid and Setgid",
"rdfs:seeAlso": "T1548.001",
"rdfs:subClassOf": [
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:CWE-1098",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1098",
"d3f:definition": "The code contains a data element with a pointer that does not have an associated copy or constructor method.",
"rdfs:label": "Data Element containing Pointer Item without Proper Copy Control Element",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1076"
}
},
{
"@id": "d3f:CCI-000022_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-13T00:00:00"
},
"rdfs:label": "CCI-000022"
},
{
"@id": "d3f:OTControlCommand",
"@type": "owl:Class",
"d3f:definition": "Command and control the managed process.",
"rdfs:comment": [
"CIP: Reset\nCIP: Start\nCIP: Stop\nCIP: Create\nCIP: Delete\nCIP: Apply Attributes\nCIP: Restore\nCIP: Save ",
"GE-SRTP: PLC SHORT STATUS REQUEST"
],
"rdfs:label": "OT Control Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTProcessDataCommand"
}
},
{
"@id": "d3f:T1137.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1137.002",
"d3f:definition": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)",
"d3f:modifies": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
"rdfs:label": "Office Test",
"rdfs:subClassOf": [
{
"@id": "d3f:T1137"
},
{
"@id": "_:N3b3430399b0143939baf72ebafca68e8"
}
]
},
{
"@id": "_:N3b3430399b0143939baf72ebafca68e8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
}
},
{
"@id": "d3f:CWE-1259",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1259",
"d3f:definition": "The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.",
"rdfs:label": "Improper Restriction of Security Token Assignment",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:WindowsSuspendThread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Suspends the specified thread.",
"d3f:invokes": {
"@id": "d3f:WindowsNtSuspendThread"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread"
},
"rdfs:label": "Windows SuspendThread",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISuspendThread"
},
{
"@id": "_:N177b5009b06f413c8d0ca900ff5756f7"
}
]
},
{
"@id": "_:N177b5009b06f413c8d0ca900ff5756f7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtSuspendThread"
}
},
{
"@id": "d3f:CWE-252",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-252",
"d3f:definition": "The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.",
"rdfs:label": "Unchecked Return Value",
"rdfs:subClassOf": {
"@id": "d3f:CWE-754"
}
},
{
"@id": "d3f:T1205.002",
"@type": "owl:Class",
"d3f:attack-id": "T1205.002",
"d3f:definition": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.",
"rdfs:label": "Socket Filters",
"rdfs:subClassOf": {
"@id": "d3f:T1205"
}
},
{
"@id": "d3f:CWE-338",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-338",
"d3f:definition": "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
"rdfs:label": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"rdfs:subClassOf": {
"@id": "d3f:CWE-330"
}
},
{
"@id": "d3f:CCI-001009_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:FileEncryption"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001009"
},
{
"@id": "d3f:HTTPPostEvent",
"@type": "owl:Class",
"d3f:definition": "An event where the HTTP POST method is used to submit data to the specified resource, often causing a change in state or side effects on the server.",
"rdfs:label": "HTTP POST Event",
"rdfs:subClassOf": {
"@id": "d3f:HTTPRequestEvent"
}
},
{
"@id": "d3f:SystemDaemonMonitoring",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:SystemDaemonMonitoring"
],
"d3f:d3fend-id": "D3-SDM",
"d3f:definition": "Tracking changes to the state or configuration of critical system level processes.",
"d3f:kb-article": "## How it works\nAttackers may manipulate system settings or services to disable system logging or monitoring of security tools and events. Firewall and antivirus services are popular targets for attackers. Disabling system logs will also allow an attacker's actions to go unnoticed. Analysis of logs, registries, and process monitoring help defenders locate signs of tampering. Two possible approaches are to monitor hardened system services or to monitor registry updates for modifications to security settings.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd"
},
{
"@id": "d3f:Reference-MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation"
},
{
"@id": "d3f:Reference-UserActivityFromStoppingWindowsDefensiveServices_MITRE"
}
],
"d3f:monitors": {
"@id": "d3f:OperatingSystemProcess"
},
"rdfs:label": "System Daemon Monitoring",
"rdfs:subClassOf": [
{
"@id": "d3f:OperatingSystemMonitoring"
},
{
"@id": "_:Nae6d394e272f4392afec2acd2bb2ce2c"
}
]
},
{
"@id": "_:Nae6d394e272f4392afec2acd2bb2ce2c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:monitors"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemProcess"
}
},
{
"@id": "d3f:CWE-594",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-594",
"d3f:definition": "When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.",
"rdfs:label": "J2EE Framework: Saving Unserializable Objects to Disk",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1076"
},
{
"@id": "d3f:CWE-710"
}
]
},
{
"@id": "d3f:CWE-245",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-245",
"d3f:definition": "The J2EE application directly manages connections, instead of using the container's connection management facilities.",
"rdfs:label": "J2EE Bad Practices: Direct Management of Connections",
"rdfs:subClassOf": {
"@id": "d3f:CWE-695"
}
},
{
"@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US6832256B1"
},
"d3f:kb-abstract": "Data transfer is controlled between a first network and a second network of computers by a firewall-proxy combination. Active interpretation of protocol commands exchanged between the first network and the second network is performed to determine specific actions concerning completion of the protocol request. This active firewall-proxy combination may exist on either the first or second network of computers. This method of control provides centralized control and administration for all potentially reachable resources within a network.",
"d3f:kb-author": "James E. Toga",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Intel Corp",
"d3f:kb-reference-of": {
"@id": "d3f:InboundTrafficFiltering"
},
"d3f:kb-reference-title": "Firewalls that filter based upon protocol commands",
"rdfs:label": "Reference - Firewalls that filter based upon protocol commands - Intel Corp"
},
{
"@id": "d3f:CWE-483",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-483",
"d3f:definition": "The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.",
"rdfs:label": "Incorrect Block Delimitation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-670"
}
},
{
"@id": "d3f:ScriptExecutionAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ScriptExecutionAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:ScriptApplicationProcess"
},
"d3f:d3fend-id": "D3-SEA",
"d3f:definition": "Analyzing the execution of a script to detect unauthorized user activity.",
"d3f:kb-article": "## How it works\nSoftware installed on the host system hooks into a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. Pattern matching is used to identify unauthorized commands or in the case of script files, a hash of the file is compared against hashes of known unauthorized script files.\n\n## Considerations\nList of known unauthorized script files or regular expression patterns must be kept up to date to ensure detection of new threats.",
"d3f:kb-reference": {
"@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc"
},
"rdfs:label": "Script Execution Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessAnalysis"
},
{
"@id": "_:N2f5b1dff6ee9427fa526f328297784c0"
}
]
},
{
"@id": "_:N2f5b1dff6ee9427fa526f328297784c0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:ScriptApplicationProcess"
}
},
{
"@id": "d3f:Clustering",
"@type": "owl:Class",
"rdfs:label": "Clustering",
"rdfs:subClassOf": {
"@id": "d3f:Summarizing"
}
},
{
"@id": "d3f:FileContentRules",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FileContentRules"
],
"d3f:d3fend-id": "D3-FCR",
"d3f:definition": "Employing a pattern matching rule language to analyze the content of files.",
"d3f:kb-article": "## How it works\nRules, often called signatures, are used for both generic and targeted malware detection. The rules are usually expressed in a domain specific language (DSL), then deployed to software that scans files for matches. The rules are developed and broadly distributed by commercial vendors, or they are developed and deployed by enterprise security teams to address highly targeted or custom malware. Conceptually, there are public and private rule sets. Both leverage the same technology, but they are intended to detect different types of cyber adversaries.\n\n## Considerations\n* Patterns expressed in the DSLs range in their complexity. Some scanning engines support file parsing and normalization for high fidelity matching, others support only simple regular expression matching against raw file data. Engineers must make a trade-off in terms of:\n * The fidelity of the matching capabilities in order to balance high recall with avoiding false positives,\n * The computational load for scanning, and\n * The resilience of the engine to deal with adversarial content presented in different forms-- content which in some cases is designed to exploit or defeat the scanning engines.\n * Signature libraries can become large over time and impact scanning performance.\n * Some vendors who sell signatures have to delete old signatures over time.\n * Simple signatures against raw content cannot match against encoded, encrypted, or sufficiently obfuscated content.\n\n## Implementations\n * YARA\n * ClamAV",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc"
},
{
"@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc"
},
{
"@id": "d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc"
},
{
"@id": "d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd"
}
],
"d3f:synonym": [
"File Content Signatures",
"File Signatures"
],
"rdfs:label": "File Content Rules",
"rdfs:subClassOf": {
"@id": "d3f:FileContentAnalysis"
}
},
{
"@id": "d3f:RegOpenKeyTransactedW",
"@type": [
"owl:NamedIndividual",
"d3f:GetSystemConfigValue"
],
"rdfs:label": "RegOpenKeyTransactedW"
},
{
"@id": "d3f:T1564.014",
"@type": "owl:Class",
"d3f:attack-id": "T1564.014",
"d3f:definition": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`, `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)",
"rdfs:label": "Extended Attributes",
"rdfs:subClassOf": {
"@id": "d3f:T1564"
}
},
{
"@id": "d3f:CWE-61",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-61",
"d3f:definition": "The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
"d3f:synonym": [
"Symlink following",
"symlink vulnerability"
],
"rdfs:label": "UNIX Symbolic Link (Symlink) Following",
"rdfs:subClassOf": {
"@id": "d3f:CWE-59"
}
},
{
"@id": "d3f:adds",
"@type": "owl:ObjectProperty",
"d3f:definition": "x adds y: The subject x adds a data object y, such as a file, to some other digital artifact, such as a directory. Examples include an agent or technique adding a record to a database. or a domain entry to a DNS server.",
"rdfs:label": "adds",
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:may-add"
}
]
},
{
"@id": "d3f:CWE-110",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-110",
"d3f:definition": "Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.",
"rdfs:label": "Struts: Validator Without Form Field",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1164"
}
},
{
"@id": "d3f:PacketCaptureFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:NetworkPacket"
},
"d3f:definition": "A file which contains raw representations of collected packets.",
"rdfs:label": "Packet Capture File",
"rdfs:subClassOf": [
{
"@id": "d3f:File"
},
{
"@id": "_:Ndf453465987546a69cde47abfa37a884"
}
]
},
{
"@id": "_:Ndf453465987546a69cde47abfa37a884",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkPacket"
}
},
{
"@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20050091319A1/"
},
"d3f:kb-author": "Steven Kirsch",
"d3f:kb-reference-of": [
{
"@id": "d3f:DomainNameReputationAnalysis"
},
{
"@id": "d3f:IPReputationAnalysis"
}
],
"d3f:kb-reference-title": "Database for receiving, storing and compiling information about email messages",
"rdfs:label": "Reference - Database for receiving, storing and compiling information about email messages"
},
{
"@id": "d3f:Reference-SystemAndMethodForDetectionOfAChangeInBehaviorInTheUseOfAWebsiteThroughVectorVelocityAnalysis_SilverTailSystems",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20100235909A1/en?oq=US+20100235909+A1"
},
"d3f:kb-abstract": "A system and software for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of fields or input parameters that identify the actions performed on a website including fields related to previous actions by that user or other users of the website. The fields or input parameters are represented in a vector format where vectors represent different sessions of activity on the website, pages of the website, users of the website, or other attributes of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions and if a session is converging or diverging from known sessions based on the velocity and direction of the velocity of the vectors in the vector space.",
"d3f:kb-author": "Mike Eynon; Laura Mather; Erik Westland; Jim Lloyd",
"d3f:kb-mitre-analysis": "This patent describes a technique for detecting fraudulent behavior on a website. Website behavior is mapped to build a multidimensional representation of user actions on a website that is updated as additional actions are recorded. Example actions on a website that are recorded include clicks by a user on the website and entering data into forms. Current behavior is compared against baseline recorded behavior and if current behavior deviates above a threshold, an alert is issued.",
"d3f:kb-organization": "Silver Tail Systems",
"d3f:kb-reference-of": {
"@id": "d3f:WebSessionActivityAnalysis"
},
"d3f:kb-reference-title": "System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis",
"rdfs:label": "Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systems"
},
{
"@id": "d3f:DeepConvolutionalGAN",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DCG",
"d3f:definition": "Deep Convolutional GAN (DCGAN) uses convolutional and convolutional-transpose layers in the generator and discriminator, respectively.",
"d3f:kb-article": "## References\nAnalytics Vidhya. (2021). Deep Convolutional Generative Adversarial Network (DCGAN) for Beginners. [Link](https://www.analyticsvidhya.com/blog/2021/07/deep-convolutional-generative-adversarial-network-dcgan-for-beginners/)",
"d3f:synonym": "DCGAN",
"rdfs:label": "Deep Convolutional GAN",
"rdfs:subClassOf": {
"@id": "d3f:ImageSynthesisGAN"
}
},
{
"@id": "d3f:DesktopComputer",
"@type": "owl:Class",
"d3f:definition": "A desktop computer is a personal computer designed for regular use at a single location on or near a desk or table due to its size and power requirements. The most common configuration has a case that houses the power supply, motherboard (a printed circuit board with a microprocessor as the central processing unit (CPU), memory, bus, and other electronic components, disk storage (usually one or more hard disk drives, solid state drives, optical disc drives, and in early models a floppy disk drive); a keyboard and mouse for input; and a computer monitor, speakers, and, often, a printer for output. The case may be oriented horizontally or vertically and placed either underneath, beside, or on top of a desk.",
"rdfs:isDefinedBy": {
"@id": "dbr:Desktop_computer"
},
"rdfs:label": "Desktop Computer",
"rdfs:subClassOf": {
"@id": "d3f:PersonalComputer"
}
},
{
"@id": "d3f:CWE-304",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-304",
"d3f:definition": "The product implements an authentication technique, but it skips a step that weakens the technique.",
"rdfs:label": "Missing Critical Step in Authentication",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-303"
},
{
"@id": "d3f:CWE-573"
}
]
},
{
"@id": "d3f:T1141",
"@type": "owl:Class",
"d3f:attack-id": "T1141",
"d3f:definition": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1056.002",
"rdfs:label": "Input Prompt",
"rdfs:seeAlso": "T1056.002",
"rdfs:subClassOf": {
"@id": "d3f:CredentialAccessTechnique"
}
},
{
"@id": "d3f:BayesianEstimation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BE",
"d3f:definition": "A Bayes estimator or a Bayes action is an estimator or decision rule that minimizes the posterior expected value of a loss function (i.e., the posterior expected loss).",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Bayes estimator. [Link](https://en.wikipedia.org/wiki/Bayes_estimator)",
"rdfs:label": "Bayesian Estimation",
"rdfs:subClassOf": {
"@id": "d3f:BayesianMethod"
}
},
{
"@id": "d3f:PhysicalLinkErrorDisableEvent",
"@type": "owl:Class",
"d3f:definition": "The device automatically disables the link in response to fault conditions such as excessive faults or signal degradation.",
"rdfs:label": "Physical Link Error Disable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:PhysicalLinkEvent"
},
{
"@id": "_:N4e1144a99f5d458da166fadfe8340392"
}
]
},
{
"@id": "_:N4e1144a99f5d458da166fadfe8340392",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:PhysicalLinkDownEvent"
}
},
{
"@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://doi.org/10.6028/NIST.SP.800-53Ar5"
},
"d3f:kb-abstract": "This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided with guidance on analyzing assessment results.",
"d3f:kb-organization": "NIST",
"d3f:kb-reference-of": {
"@id": "d3f:OperationalRiskAssessment"
},
"d3f:kb-reference-title": "NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations",
"rdfs:label": "Reference - NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations"
},
{
"@id": "d3f:CWE-1051",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1051",
"d3f:definition": "The product initializes data using hard-coded values that act as network resource identifiers.",
"rdfs:label": "Initialization with Hard-Coded Network Resource Configuration Data",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1419"
},
{
"@id": "d3f:CWE-665"
}
]
},
{
"@id": "d3f:has-goal",
"@type": "owl:ObjectProperty",
"rdfs:label": "has-goal",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-use-case-object-property"
}
},
{
"@id": "d3f:LoadModule",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A system call that loads a driver or extension into the kernel.",
"d3f:loads": [
{
"@id": "d3f:HardwareDriver"
},
{
"@id": "d3f:KernelModule"
}
],
"rdfs:label": "Load Module",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N12a4f879ba084e63a375eb1c886fb1af"
},
{
"@id": "_:N71ce388b445b4295b5bd166c8fb0e8e0"
}
]
},
{
"@id": "_:N12a4f879ba084e63a375eb1c886fb1af",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:loads"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDriver"
}
},
{
"@id": "_:N71ce388b445b4295b5bd166c8fb0e8e0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:loads"
},
"owl:someValuesFrom": {
"@id": "d3f:KernelModule"
}
},
{
"@id": "d3f:Perturbation-basedLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PBL",
"d3f:definition": "Perturbation based methods are proposed under the smoothness assumption, which indicates that two data points close to each other in feature space are likely to have the same label.",
"d3f:kb-article": "## References\nZheng, Y., & Song, Y. (2021). An Effective Perturbation-Based Semi-Supervised Learning Method for Acoustic Event Classification. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 29, 3580-3591. [Link](https://www.semanticscholar.org/paper/An-Effective-Perturbation-Based-Semi-Supervised-for-Zheng-Song/b75ae37d137ac354eb2ed42917e461b4dccdc977).\n\nEngelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).",
"rdfs:label": "Perturbation-based Learning",
"rdfs:subClassOf": {
"@id": "d3f:IntrinsicallySemi-supervisedLearning"
}
},
{
"@id": "d3f:ProcessStartFunction",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A function creates a new computer process, usually by invoking a create process system call.",
"d3f:invokes": {
"@id": "d3f:CreateProcess"
},
"rdfs:label": "Process Start Function",
"rdfs:subClassOf": [
{
"@id": "d3f:Subroutine"
},
{
"@id": "_:N263a919fb1bc427ea54ffd4d23ceaeff"
}
]
},
{
"@id": "_:N263a919fb1bc427ea54ffd4d23ceaeff",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "d3f:WindowsRegistryValue",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contained-by": {
"@id": "d3f:WindowsRegistryKey"
},
"d3f:definition": "A Windows Registry Value is a data structure consisting of a name, type, data (as a pointer), and the length. Windows Registry Values are always associated with a Windows Registry Key. They store the actual configuration data for the operating system and the programs that run on the system.",
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/winreg/ns-winreg-valentw"
},
"rdfs:label": "Windows Registry Value",
"rdfs:seeAlso": [
{
"@id": "https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry"
},
{
"@id": "https://schema.ocsf.io/objects/registry_value"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
{
"@id": "_:N1215ab3a319845e6be7a056755e50475"
},
{
"@id": "_:N51e069be667b4ecab735e7348bcf02ec"
}
]
},
{
"@id": "_:N1215ab3a319845e6be7a056755e50475",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contained-by"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryKey"
}
},
{
"@id": "_:N51e069be667b4ecab735e7348bcf02ec",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:windows-registry-value"
},
"owl:someValuesFrom": {
"@id": "xsd:string"
}
},
{
"@id": "d3f:T1036.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1036.003",
"d3f:definition": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)",
"d3f:may-create": {
"@id": "d3f:ExecutableFile"
},
"d3f:may-modify": {
"@id": "d3f:OperatingSystemExecutableFile"
},
"rdfs:label": "Rename Legitimate Utilities",
"rdfs:subClassOf": [
{
"@id": "d3f:T1036"
},
{
"@id": "_:Nf2505fc7213c4c27a0b94398e9669168"
},
{
"@id": "_:N6161caade6ef4c9198d6e76aee38daca"
}
]
},
{
"@id": "_:Nf2505fc7213c4c27a0b94398e9669168",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableFile"
}
},
{
"@id": "_:N6161caade6ef4c9198d6e76aee38daca",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemExecutableFile"
}
},
{
"@id": "d3f:CWE-1420",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1420",
"d3f:definition": "A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.",
"rdfs:label": "Exposure of Sensitive Information during Transient Execution",
"rdfs:subClassOf": {
"@id": "d3f:CWE-669"
}
},
{
"@id": "d3f:CWE-119",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-119",
"d3f:definition": "The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.",
"d3f:synonym": [
"Buffer Overflow",
"buffer overrun",
"memory safety"
],
"d3f:weakness-of": {
"@id": "d3f:RawMemoryAccessFunction"
},
"rdfs:label": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-118"
},
{
"@id": "_:N8a5f214436674753889345dfcbeb360b"
}
]
},
{
"@id": "_:N8a5f214436674753889345dfcbeb360b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:RawMemoryAccessFunction"
}
},
{
"@id": "d3f:T1154",
"@type": "owl:Class",
"d3f:attack-id": "T1154",
"d3f:definition": "The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1546.005",
"rdfs:label": "Trap",
"rdfs:seeAlso": "T1546.005",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutionTechnique"
},
{
"@id": "d3f:PersistenceTechnique"
}
]
},
{
"@id": "d3f:UnloadModule",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A system call that unloads a driver or extension from the kernel.",
"d3f:unloads": [
{
"@id": "d3f:HardwareDriver"
},
{
"@id": "d3f:KernelModule"
}
],
"rdfs:label": "Unload Module",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N002cce702db6406cb898d29e78b91f0a"
},
{
"@id": "_:Nbc621cea53334f75a5998b0a0deda0fb"
}
]
},
{
"@id": "_:N002cce702db6406cb898d29e78b91f0a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:unloads"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDriver"
}
},
{
"@id": "_:Nbc621cea53334f75a5998b0a0deda0fb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:unloads"
},
"owl:someValuesFrom": {
"@id": "d3f:KernelModule"
}
},
{
"@id": "d3f:T1546.014",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1546.014",
"d3f:definition": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.",
"d3f:may-create": {
"@id": "d3f:PropertyListFile"
},
"d3f:may-modify": {
"@id": "d3f:PropertyListFile"
},
"d3f:modifies": {
"@id": "d3f:ConfigurationResource"
},
"rdfs:label": "Emond",
"rdfs:subClassOf": [
{
"@id": "d3f:T1546"
},
{
"@id": "_:N904651a878204a4faafc3afda64d576e"
},
{
"@id": "_:N68b35eda595240b6b1c2a1fe81957554"
},
{
"@id": "_:N81d851ed499c4c3eb11e9b71feb5faa2"
}
]
},
{
"@id": "_:N904651a878204a4faafc3afda64d576e",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:PropertyListFile"
}
},
{
"@id": "_:N68b35eda595240b6b1c2a1fe81957554",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:PropertyListFile"
}
},
{
"@id": "_:N81d851ed499c4c3eb11e9b71feb5faa2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ConfigurationResource"
}
},
{
"@id": "d3f:T1048.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1048.002",
"d3f:definition": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
"d3f:may-transfer": {
"@id": "d3f:CertificateFile"
},
"d3f:produces": {
"@id": "d3f:OutboundInternetEncryptedTraffic"
},
"rdfs:label": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
"rdfs:subClassOf": [
{
"@id": "d3f:T1048"
},
{
"@id": "_:Nba85265389204276a0c8cae8b164dd15"
},
{
"@id": "_:Nca8c8adb36134c7f899a6f7269e9eac5"
}
]
},
{
"@id": "_:Nba85265389204276a0c8cae8b164dd15",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-transfer"
},
"owl:someValuesFrom": {
"@id": "d3f:CertificateFile"
}
},
{
"@id": "_:Nca8c8adb36134c7f899a6f7269e9eac5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetEncryptedTraffic"
}
},
{
"@id": "d3f:AccessControlList",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A list of permissions attached to an object.",
"d3f:restricts": {
"@id": "d3f:UserGroup"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Access-control_list"
},
"rdfs:label": "Access Control List",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessControlConfiguration"
},
{
"@id": "_:Na995c0cb27d04afa8770f269bdec3ecf"
}
]
},
{
"@id": "_:Na995c0cb27d04afa8770f269bdec3ecf",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricts"
},
"owl:someValuesFrom": {
"@id": "d3f:UserGroup"
}
},
{
"@id": "d3f:CWE-1329",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1329",
"d3f:definition": "The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.",
"rdfs:label": "Reliance on Component That is Not Updateable",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1357"
},
{
"@id": "d3f:CWE-664"
}
]
},
{
"@id": "d3f:LogististicRegressionLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-LRL",
"d3f:definition": "A supervised learning method that builds a logistic regression model using training data.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)",
"rdfs:label": "Logistic Regression Learning",
"rdfs:seeAlso": {
"@id": "d3f:LogisticRegression"
},
"rdfs:subClassOf": {
"@id": "d3f:RegressionAnalysisLearning"
}
},
{
"@id": "d3f:DigitalText",
"@type": "owl:Class",
"d3f:definition": "Digital text is written content encoded in a digital format, allowing for storage, retrieval, and manipulation by electronic devices.",
"rdfs:label": "Digital Text",
"rdfs:subClassOf": {
"@id": "d3f:DigitalMedia"
}
},
{
"@id": "d3f:T1037.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1037.001",
"d3f:definition": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)",
"d3f:modifies": {
"@id": "d3f:UserInitScript"
},
"rdfs:label": "Logon Script (Windows)",
"rdfs:subClassOf": [
{
"@id": "d3f:T1037"
},
{
"@id": "_:Ndbf284852dd441c7af8fba80804b97f0"
}
]
},
{
"@id": "_:Ndbf284852dd441c7af8fba80804b97f0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:UserInitScript"
}
},
{
"@id": "d3f:AssociationRuleLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-ARL",
"d3f:definition": "Association rule learning is a rule-based machine learning method for discovering interesting relations between variables in large databases.",
"d3f:kb-article": "## References\nAssociation rule learning. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Association_rule_learning)",
"rdfs:label": "Association Rule Learning",
"rdfs:subClassOf": {
"@id": "d3f:UnsupervisedLearning"
}
},
{
"@id": "d3f:CWE-565",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-565",
"d3f:definition": "The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.",
"rdfs:label": "Reliance on Cookies without Validation and Integrity Checking",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-602"
},
{
"@id": "d3f:CWE-642"
}
]
},
{
"@id": "d3f:CWE-1060",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1060",
"d3f:definition": "The product performs too many data queries without using efficient data processing functionality such as stored procedures.",
"rdfs:label": "Excessive Number of Inefficient Server-Side Data Accesses",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1120"
}
},
{
"@id": "d3f:SharedComputer",
"@type": "owl:Class",
"d3f:definition": "A computer whose resources are intended to be shared widely.",
"rdfs:label": "Shared Computer",
"rdfs:seeAlso": {
"@id": "dbr:Time-sharing"
},
"rdfs:subClassOf": {
"@id": "d3f:ClientComputer"
}
},
{
"@id": "d3f:Semi-supervisedTransductiveLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSTL",
"d3f:definition": "The goal of transductive learning is to infer the correct labels for the given unlabeled data\nx_{l+1},... ,x_{l+u} only",
"d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning).\n\nZhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).",
"rdfs:label": "Semi-supervised Transductive Learning",
"rdfs:subClassOf": {
"@id": "d3f:Semi-SupervisedLearning"
}
},
{
"@id": "d3f:CCI-002005_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:BiometricAuthentication"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-05-03T00:00:00"
},
"rdfs:label": "CCI-002005"
},
{
"@id": "d3f:OTDeviceFirmwareCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Interact with the software responsible for low-level control of the system.",
"rdfs:label": "OT Firmware Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTDeviceManagementMessageEvent"
},
{
"@id": "_:N07fc4a26a7bf45069e0b14e95b1e2cbd"
}
]
},
{
"@id": "_:N07fc4a26a7bf45069e0b14e95b1e2cbd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTDeviceFirmwareCommand"
}
},
{
"@id": "d3f:OTDiagnosticsMessageEvent",
"@type": "owl:Class",
"d3f:definition": "Relay error, exception, alarm, or log information.",
"rdfs:label": "OT Diagnostics Message Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTEvent"
},
{
"@id": "_:Nd04cf9da54d24b23bd0ce0057d812154"
}
]
},
{
"@id": "_:Nd04cf9da54d24b23bd0ce0057d812154",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTDiagnosticsMessage"
}
},
{
"@id": "d3f:T1594",
"@type": "owl:Class",
"d3f:attack-id": "T1594",
"d3f:definition": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)",
"rdfs:label": "Search Victim-Owned Websites",
"rdfs:subClassOf": {
"@id": "d3f:ReconnaissanceTechnique"
}
},
{
"@id": "d3f:CCI-001067_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:PlatformHardening"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001067"
},
{
"@id": "d3f:WindowsNtWriteFileGather",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Writes specified block of file with data from memory pages.",
"rdfs:label": "Windows NtWriteFileGather",
"rdfs:seeAlso": {
"@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
},
"rdfs:subClassOf": {
"@id": "d3f:OSAPIWriteFile"
}
},
{
"@id": "d3f:M1042",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:ApplicationConfigurationHardening"
},
{
"@id": "d3f:ExecutableDenylisting"
},
{
"@id": "d3f:SystemCallFiltering"
}
],
"rdfs:label": "Disable or Remove Feature or Program"
},
{
"@id": "d3f:WindowsNtDeleteFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Deletes the specified file.",
"rdfs:label": "Windows NtDeleteFile",
"rdfs:seeAlso": {
"@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
},
"rdfs:subClassOf": {
"@id": "d3f:OSAPIDeleteFile"
}
},
{
"@id": "d3f:RubyScriptFile",
"@type": [
"owl:NamedIndividual",
"d3f:ExecutableScript"
],
"rdfs:label": "Ruby Script File"
},
{
"@id": "d3f:CWE-1102",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1102",
"d3f:definition": "The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.",
"rdfs:label": "Reliance on Machine-Dependent Data Representation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-758"
}
},
{
"@id": "d3f:GetRunningProcesses",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:enumerates": {
"@id": "d3f:Process"
},
"rdfs:label": "Get Running Processes",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N6d5d0a29abc643a29a2211cef1cfb699"
}
]
},
{
"@id": "_:N6d5d0a29abc643a29a2211cef1cfb699",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enumerates"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:NetworkLink",
"@type": "owl:Class",
"d3f:definition": "A network link is a link within the network layer, which is responsible for packet forwarding including routing through intermediate routers.",
"d3f:synonym": [
"Layer-3 Link",
"Network Layer Link"
],
"rdfs:label": "Network Link",
"rdfs:seeAlso": [
{
"@id": "https://dbpedia.org/resource/Network_layer"
},
{
"@id": "https://www.techtarget.com/searchnetworking/definition/Network-layer"
}
],
"rdfs:subClassOf": {
"@id": "d3f:LogicalLink"
}
},
{
"@id": "d3f:MoveFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A system call to rename or move a file. Linux's rename() is an example of this kind of system call. Another way of handling it is to call a copy file system call followed by a delete file system call.",
"d3f:modifies": {
"@id": "d3f:FileSystemMetadata"
},
"rdfs:label": "Move File",
"rdfs:seeAlso": {
"@id": "https://man7.org/linux/man-pages/man2/rename.2.html"
},
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Na4d5d9101d734cc8b8cf50e62961a865"
}
],
"skos:altLabel": "Rename File"
},
{
"@id": "_:Na4d5d9101d734cc8b8cf50e62961a865",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:FileSystemMetadata"
}
},
{
"@id": "d3f:CWE-176",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-176",
"d3f:definition": "The product does not properly handle when an input contains Unicode encoding.",
"rdfs:label": "Improper Handling of Unicode Encoding",
"rdfs:subClassOf": {
"@id": "d3f:CWE-172"
}
},
{
"@id": "d3f:DigitalAudio",
"@type": "owl:Class",
"d3f:definition": "Digital audio is a representation of sound recorded in, or converted into, digital form.",
"rdfs:isDefinedBy": "https://dbpedia.org/page/Digital_audio",
"rdfs:label": "Digital Audio",
"rdfs:subClassOf": {
"@id": "d3f:DigitalMedia"
}
},
{
"@id": "d3f:CCI-002689_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:FileContentRules"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system collects indicators of compromise.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002689"
},
{
"@id": "d3f:HTTPURL",
"@type": [
"owl:NamedIndividual",
"d3f:URL"
],
"rdfs:label": "HTTP URL"
},
{
"@id": "d3f:CWE-1264",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1264",
"d3f:definition": "The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.",
"rdfs:label": "Hardware Logic with Insecure De-Synchronization between Control and Data Channels",
"rdfs:subClassOf": {
"@id": "d3f:CWE-821"
}
},
{
"@id": "d3f:CloudServiceProvider",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A cloud service provider delivers scalable and distributed computing resources over a network, enabling clients to access infrastructure, platforms, and applications remotely.",
"rdfs:label": "Cloud Service Provider",
"rdfs:subClassOf": {
"@id": "d3f:ServiceProvider"
}
},
{
"@id": "d3f:FileHashing",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FileHashing"
],
"d3f:d3fend-id": "D3-FH",
"d3f:definition": "Employing file hash comparisons to detect known malware.",
"d3f:kb-article": "## How it works\nThis technique requires a list of hashes to compare a file against.\n\n## Considerations\nPerformance on large files or very large numbers of files.",
"d3f:kb-reference": {
"@id": "d3f:Reference-Munin"
},
"rdfs:label": "File Hashing",
"rdfs:subClassOf": {
"@id": "d3f:FileAnalysis"
}
},
{
"@id": "d3f:Reference-SuspiciousArguments_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2013-07-001/"
},
"d3f:kb-abstract": "Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.",
"d3f:kb-author": "",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2013-07-001: Suspicious Arguments",
"rdfs:label": "Reference - CAR-2013-07-001: Suspicious Arguments - MITRE"
},
{
"@id": "d3f:WindowsNtWriteFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Writes data to an open file.",
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntwritefile"
},
"rdfs:label": "Windows NtWriteFile",
"rdfs:seeAlso": {
"@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
},
"rdfs:subClassOf": {
"@id": "d3f:OSAPIWriteFile"
}
},
{
"@id": "d3f:T1550.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1550.003",
"d3f:creates": {
"@id": "d3f:Authentication"
},
"d3f:definition": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.",
"rdfs:label": "Pass the Ticket",
"rdfs:subClassOf": [
{
"@id": "d3f:T1550"
},
{
"@id": "_:N561796b2fbc24d7d816286408919fa9c"
}
]
},
{
"@id": "_:N561796b2fbc24d7d816286408919fa9c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:Authentication"
}
},
{
"@id": "d3f:LinuxCloneArgumentCLONE_THREAD",
"@type": "owl:Class",
"d3f:definition": "A flag parameter to the Clone syscall. If set, the child is placed in the same thread group as the calling process.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/clone.2.html"
},
"rdfs:label": "Linux Clone Argument CLONE_THREAD",
"rdfs:subClassOf": {
"@id": "d3f:OSAPICreateThread"
}
},
{
"@id": "d3f:OTCreateDataCommand",
"@type": "owl:Class",
"d3f:definition": "OT command that creates data on a remote device.",
"rdfs:comment": [
"BACnet: addListElement\nBACnet: createObject",
"CIP: Insert Member"
],
"rdfs:label": "OT Create Data Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTWriteCommand"
}
},
{
"@id": "d3f:T1014",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1014",
"d3f:definition": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)",
"d3f:may-modify": [
{
"@id": "d3f:BootSector"
},
{
"@id": "d3f:Firmware"
},
{
"@id": "d3f:Kernel"
},
{
"@id": "d3f:KernelModule"
},
{
"@id": "d3f:SharedLibraryFile"
}
],
"rdfs:label": "Rootkit",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "_:Nc08f2b67d4294058a133c369ec4f7718"
},
{
"@id": "_:Na1bebd808be140bfa1272f90031b48c8"
},
{
"@id": "_:Nf0d5c733a7024e8ab1daa54acaf23eb7"
},
{
"@id": "_:N1bdfba929b8047159645cebb44ada1d0"
},
{
"@id": "_:N9db626dca9b84b2e8680ff20f4223773"
}
]
},
{
"@id": "_:Nc08f2b67d4294058a133c369ec4f7718",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:BootSector"
}
},
{
"@id": "_:Na1bebd808be140bfa1272f90031b48c8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:Firmware"
}
},
{
"@id": "_:Nf0d5c733a7024e8ab1daa54acaf23eb7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:Kernel"
}
},
{
"@id": "_:N1bdfba929b8047159645cebb44ada1d0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:KernelModule"
}
},
{
"@id": "_:N9db626dca9b84b2e8680ff20f4223773",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "d3f:CCI-002364_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:ProcessTermination"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-26T00:00:00"
},
"rdfs:label": "CCI-002364"
},
{
"@id": "d3f:T1596.003",
"@type": "owl:Class",
"d3f:attack-id": "T1596.003",
"d3f:definition": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.",
"rdfs:label": "Digital Certificates",
"rdfs:subClassOf": {
"@id": "d3f:T1596"
}
},
{
"@id": "d3f:OTConnectionCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Establish a network connection with a device.",
"rdfs:label": "OT Connection Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTNetworkManagementCommandEvent"
},
{
"@id": "_:Nae828080aec446fe9dc5ba86ec8ea25f"
},
{
"@id": "_:N6812342dd2dc4cf396c610e87c0df4ef"
}
]
},
{
"@id": "_:Nae828080aec446fe9dc5ba86ec8ea25f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "_:N6812342dd2dc4cf396c610e87c0df4ef",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTConnectionCommand"
}
},
{
"@id": "d3f:FileMetadata",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Information that describes and provides context about a file's content, structure, and attributes.",
"rdfs:label": "File Metadata",
"rdfs:subClassOf": {
"@id": "d3f:Metadata"
}
},
{
"@id": "d3f:T1140",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1140",
"d3f:definition": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.",
"d3f:invokes": {
"@id": "d3f:CreateProcess"
},
"d3f:may-add": {
"@id": "d3f:ExecutableFile"
},
"d3f:may-modify": {
"@id": "d3f:EventLog"
},
"rdfs:label": "Deobfuscate/Decode Files or Information",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "_:N51dbf3b292494c7fa7b408d1074daa4a"
},
{
"@id": "_:Ncce82f6c9ee74f8caf6128355973c2bd"
},
{
"@id": "_:Na17b4ac8faba4bdfaac3146034a9b5bc"
}
]
},
{
"@id": "_:N51dbf3b292494c7fa7b408d1074daa4a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "_:Ncce82f6c9ee74f8caf6128355973c2bd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-add"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableFile"
}
},
{
"@id": "_:Na17b4ac8faba4bdfaac3146034a9b5bc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:EventLog"
}
},
{
"@id": "d3f:Group",
"@type": "owl:Class",
"rdfs:label": "Group",
"rdfs:subClassOf": {
"@id": "d3f:D3FENDCore"
}
},
{
"@id": "d3f:T1098.007",
"@type": "owl:Class",
"d3f:attack-id": "T1098.007",
"d3f:definition": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.",
"rdfs:label": "Additional Local or Domain Groups",
"rdfs:subClassOf": {
"@id": "d3f:T1098"
}
},
{
"@id": "d3f:Reference-FirmwareBehaviorAnalysisVIPER",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://dl.acm.org/doi/pdf/10.1145/2046707.2046711"
},
"d3f:kb-abstract": "Recent research demonstrates that malware can infect peripherals' firmware in a typical x86 computer system, e.g., by exploiting vulnerabilities in the firmware itself or in the firmware update tools. Verifying the integrity of peripherals' firmware is thus an important challenge. We propose software-only attestation protocols to verify the integrity of peripherals' firmware, and show that they can detect all known software-based attacks.",
"d3f:kb-author": "Yanlin Li, Jonathan M. McCune, Adrian Perrig",
"d3f:kb-organization": "CyLab, Carnegie Mellon University",
"d3f:kb-reference-of": {
"@id": "d3f:FirmwareBehaviorAnalysis"
},
"d3f:kb-reference-title": "VIPER: Verifying the Integrity of PERipherals' Firmware",
"rdfs:label": "Reference - Firmware Behavior Analysis VIPER"
},
{
"@id": "d3f:CWE-272",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-272",
"d3f:definition": "The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.",
"rdfs:label": "Least Privilege Violation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-271"
}
},
{
"@id": "d3f:CWE-173",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-173",
"d3f:definition": "The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.",
"rdfs:label": "Improper Handling of Alternate Encoding",
"rdfs:subClassOf": {
"@id": "d3f:CWE-172"
}
},
{
"@id": "d3f:SSHConnectionFailEvent",
"@type": "owl:Class",
"d3f:definition": "An event indicating a failure to establish an SSH connection, often due to issues such as authentication errors, network timeouts, or server unavailability.",
"rdfs:label": "SSH Connection Fail Event",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkConnectionFailEvent"
},
{
"@id": "d3f:SSHEvent"
}
]
},
{
"@id": "d3f:NetworkTimeServer",
"@type": "owl:Class",
"d3f:definition": "A network time server is a server computer that reads the actual time from a reference clock and distributes this information to its clients using a computer network. The time server may be a local network time server or an internet time server. The time server may also be a stand-alone hardware device. It can use NTP (RFC5905) or other protocols.",
"rdfs:label": "Network Time Server",
"rdfs:seeAlso": {
"@id": "dbr:Time_server"
},
"rdfs:subClassOf": {
"@id": "d3f:Server"
}
},
{
"@id": "d3f:PointEstimation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PE",
"d3f:definition": "A point estimation is a single value that estimates the parameter. Point estimates are single values calculated from the sample",
"d3f:kb-article": "## References\nPennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)",
"rdfs:label": "Point Estimation",
"rdfs:subClassOf": {
"@id": "d3f:Estimation"
}
},
{
"@id": "d3f:CCI-001991_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:Certificate-basedAuthentication"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-05-03T00:00:00"
},
"rdfs:label": "CCI-001991"
},
{
"@id": "d3f:CCICatalog_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:ControlCorrelationIdentifierCatalog"
],
"d3f:archived-at": {
"@type": "xsd:anyURI",
"@value": "https://public.cyber.mil/stigs/cci/"
},
"d3f:has-member": [
{
"@id": "d3f:CCI-000015_v2022-04-05"
},
{
"@id": "d3f:CCI-000016_v2022-04-05"
},
{
"@id": "d3f:CCI-000017_v2022-04-05"
},
{
"@id": "d3f:CCI-000018_v2022-04-05"
},
{
"@id": "d3f:CCI-000020_v2022-04-05"
},
{
"@id": "d3f:CCI-000022_v2022-04-05"
},
{
"@id": "d3f:CCI-000025_v2022-04-05"
},
{
"@id": "d3f:CCI-000027_v2022-04-05"
},
{
"@id": "d3f:CCI-000029_v2022-04-05"
},
{
"@id": "d3f:CCI-000030_v2022-04-05"
},
{
"@id": "d3f:CCI-000032_v2022-04-05"
},
{
"@id": "d3f:CCI-000034_v2022-04-05"
},
{
"@id": "d3f:CCI-000035_v2022-04-05"
},
{
"@id": "d3f:CCI-000037_v2022-04-05"
},
{
"@id": "d3f:CCI-000040_v2022-04-05"
},
{
"@id": "d3f:CCI-000044_v2022-04-05"
},
{
"@id": "d3f:CCI-000047_v2022-04-05"
},
{
"@id": "d3f:CCI-000056_v2022-04-05"
},
{
"@id": "d3f:CCI-000057_v2022-04-05"
},
{
"@id": "d3f:CCI-000058_v2022-04-05"
},
{
"@id": "d3f:CCI-000060_v2022-04-05"
},
{
"@id": "d3f:CCI-000066_v2022-04-05"
},
{
"@id": "d3f:CCI-000067_v2022-04-05"
},
{
"@id": "d3f:CCI-000068_v2022-04-05"
},
{
"@id": "d3f:CCI-000071_v2022-04-05"
},
{
"@id": "d3f:CCI-000139_v2022-04-05"
},
{
"@id": "d3f:CCI-000143_v2022-04-05"
},
{
"@id": "d3f:CCI-000144_v2022-04-05"
},
{
"@id": "d3f:CCI-000162_v2022-04-05"
},
{
"@id": "d3f:CCI-000163_v2022-04-05"
},
{
"@id": "d3f:CCI-000164_v2022-04-05"
},
{
"@id": "d3f:CCI-000185_v2022-04-05"
},
{
"@id": "d3f:CCI-000186_v2022-04-05"
},
{
"@id": "d3f:CCI-000187_v2022-04-05"
},
{
"@id": "d3f:CCI-000192_v2022-04-05"
},
{
"@id": "d3f:CCI-000193_v2022-04-05"
},
{
"@id": "d3f:CCI-000194_v2022-04-05"
},
{
"@id": "d3f:CCI-000195_v2022-04-05"
},
{
"@id": "d3f:CCI-000196_v2022-04-05"
},
{
"@id": "d3f:CCI-000197_v2022-04-05"
},
{
"@id": "d3f:CCI-000198_v2022-04-05"
},
{
"@id": "d3f:CCI-000199_v2022-04-05"
},
{
"@id": "d3f:CCI-000200_v2022-04-05"
},
{
"@id": "d3f:CCI-000205_v2022-04-05"
},
{
"@id": "d3f:CCI-000213_v2022-04-05"
},
{
"@id": "d3f:CCI-000218_v2022-04-05"
},
{
"@id": "d3f:CCI-000219_v2022-04-05"
},
{
"@id": "d3f:CCI-000226_v2022-04-05"
},
{
"@id": "d3f:CCI-000346_v2022-04-05"
},
{
"@id": "d3f:CCI-000352_v2022-04-05"
},
{
"@id": "d3f:CCI-000374_v2022-04-05"
},
{
"@id": "d3f:CCI-000381_v2022-04-05"
},
{
"@id": "d3f:CCI-000382_v2022-04-05"
},
{
"@id": "d3f:CCI-000386_v2022-04-05"
},
{
"@id": "d3f:CCI-000417_v2022-04-05"
},
{
"@id": "d3f:CCI-000663_v2022-04-05"
},
{
"@id": "d3f:CCI-000764_v2022-04-05"
},
{
"@id": "d3f:CCI-000765_v2022-04-05"
},
{
"@id": "d3f:CCI-000766_v2022-04-05"
},
{
"@id": "d3f:CCI-000767_v2022-04-05"
},
{
"@id": "d3f:CCI-000768_v2022-04-05"
},
{
"@id": "d3f:CCI-000771_v2022-04-05"
},
{
"@id": "d3f:CCI-000772_v2022-04-05"
},
{
"@id": "d3f:CCI-000774_v2022-04-05"
},
{
"@id": "d3f:CCI-000776_v2022-04-05"
},
{
"@id": "d3f:CCI-000804_v2022-04-05"
},
{
"@id": "d3f:CCI-000831_v2022-04-05"
},
{
"@id": "d3f:CCI-000877_v2022-04-05"
},
{
"@id": "d3f:CCI-000880_v2022-04-05"
},
{
"@id": "d3f:CCI-000884_v2022-04-05"
},
{
"@id": "d3f:CCI-000888_v2022-04-05"
},
{
"@id": "d3f:CCI-001009_v2022-04-05"
},
{
"@id": "d3f:CCI-001019_v2022-04-05"
},
{
"@id": "d3f:CCI-001067_v2022-04-05"
},
{
"@id": "d3f:CCI-001069_v2022-04-05"
},
{
"@id": "d3f:CCI-001082_v2022-04-05"
},
{
"@id": "d3f:CCI-001083_v2022-04-05"
},
{
"@id": "d3f:CCI-001084_v2022-04-05"
},
{
"@id": "d3f:CCI-001085_v2022-04-05"
},
{
"@id": "d3f:CCI-001086_v2022-04-05"
},
{
"@id": "d3f:CCI-001087_v2022-04-05"
},
{
"@id": "d3f:CCI-001089_v2022-04-05"
},
{
"@id": "d3f:CCI-001090_v2022-04-05"
},
{
"@id": "d3f:CCI-001092_v2022-04-05"
},
{
"@id": "d3f:CCI-001094_v2022-04-05"
},
{
"@id": "d3f:CCI-001096_v2022-04-05"
},
{
"@id": "d3f:CCI-001100_v2022-04-05"
},
{
"@id": "d3f:CCI-001109_v2022-04-05"
},
{
"@id": "d3f:CCI-001111_v2022-04-05"
},
{
"@id": "d3f:CCI-001115_v2022-04-05"
},
{
"@id": "d3f:CCI-001117_v2022-04-05"
},
{
"@id": "d3f:CCI-001118_v2022-04-05"
},
{
"@id": "d3f:CCI-001124_v2022-04-05"
},
{
"@id": "d3f:CCI-001125_v2022-04-05"
},
{
"@id": "d3f:CCI-001127_v2022-04-05"
},
{
"@id": "d3f:CCI-001128_v2022-04-05"
},
{
"@id": "d3f:CCI-001133_v2022-04-05"
},
{
"@id": "d3f:CCI-001144_v2022-04-05"
},
{
"@id": "d3f:CCI-001145_v2022-04-05"
},
{
"@id": "d3f:CCI-001146_v2022-04-05"
},
{
"@id": "d3f:CCI-001147_v2022-04-05"
},
{
"@id": "d3f:CCI-001150_v2022-04-05"
},
{
"@id": "d3f:CCI-001166_v2022-04-05"
},
{
"@id": "d3f:CCI-001169_v2022-04-05"
},
{
"@id": "d3f:CCI-001170_v2022-04-05"
},
{
"@id": "d3f:CCI-001178_v2022-04-05"
},
{
"@id": "d3f:CCI-001185_v2022-04-05"
},
{
"@id": "d3f:CCI-001199_v2022-04-05"
},
{
"@id": "d3f:CCI-001200_v2022-04-05"
},
{
"@id": "d3f:CCI-001210_v2022-04-05"
},
{
"@id": "d3f:CCI-001211_v2022-04-05"
},
{
"@id": "d3f:CCI-001233_v2022-04-05"
},
{
"@id": "d3f:CCI-001237_v2022-04-05"
},
{
"@id": "d3f:CCI-001239_v2022-04-05"
},
{
"@id": "d3f:CCI-001242_v2022-04-05"
},
{
"@id": "d3f:CCI-001262_v2022-04-05"
},
{
"@id": "d3f:CCI-001297_v2022-04-05"
},
{
"@id": "d3f:CCI-001305_v2022-04-05"
},
{
"@id": "d3f:CCI-001310_v2022-04-05"
},
{
"@id": "d3f:CCI-001350_v2022-04-05"
},
{
"@id": "d3f:CCI-001352_v2022-04-05"
},
{
"@id": "d3f:CCI-001356_v2022-04-05"
},
{
"@id": "d3f:CCI-001368_v2022-04-05"
},
{
"@id": "d3f:CCI-001372_v2022-04-05"
},
{
"@id": "d3f:CCI-001373_v2022-04-05"
},
{
"@id": "d3f:CCI-001374_v2022-04-05"
},
{
"@id": "d3f:CCI-001376_v2022-04-05"
},
{
"@id": "d3f:CCI-001377_v2022-04-05"
},
{
"@id": "d3f:CCI-001399_v2022-04-05"
},
{
"@id": "d3f:CCI-001400_v2022-04-05"
},
{
"@id": "d3f:CCI-001401_v2022-04-05"
},
{
"@id": "d3f:CCI-001403_v2022-04-05"
},
{
"@id": "d3f:CCI-001404_v2022-04-05"
},
{
"@id": "d3f:CCI-001405_v2022-04-05"
},
{
"@id": "d3f:CCI-001414_v2022-04-05"
},
{
"@id": "d3f:CCI-001424_v2022-04-05"
},
{
"@id": "d3f:CCI-001425_v2022-04-05"
},
{
"@id": "d3f:CCI-001426_v2022-04-05"
},
{
"@id": "d3f:CCI-001427_v2022-04-05"
},
{
"@id": "d3f:CCI-001428_v2022-04-05"
},
{
"@id": "d3f:CCI-001436_v2022-04-05"
},
{
"@id": "d3f:CCI-001452_v2022-04-05"
},
{
"@id": "d3f:CCI-001453_v2022-04-05"
},
{
"@id": "d3f:CCI-001454_v2022-04-05"
},
{
"@id": "d3f:CCI-001493_v2022-04-05"
},
{
"@id": "d3f:CCI-001494_v2022-04-05"
},
{
"@id": "d3f:CCI-001495_v2022-04-05"
},
{
"@id": "d3f:CCI-001496_v2022-04-05"
},
{
"@id": "d3f:CCI-001499_v2022-04-05"
},
{
"@id": "d3f:CCI-001555_v2022-04-05"
},
{
"@id": "d3f:CCI-001556_v2022-04-05"
},
{
"@id": "d3f:CCI-001557_v2022-04-05"
},
{
"@id": "d3f:CCI-001574_v2022-04-05"
},
{
"@id": "d3f:CCI-001589_v2022-04-05"
},
{
"@id": "d3f:CCI-001619_v2022-04-05"
},
{
"@id": "d3f:CCI-001632_v2022-04-05"
},
{
"@id": "d3f:CCI-001662_v2022-04-05"
},
{
"@id": "d3f:CCI-001668_v2022-04-05"
},
{
"@id": "d3f:CCI-001677_v2022-04-05"
},
{
"@id": "d3f:CCI-001682_v2022-04-05"
},
{
"@id": "d3f:CCI-001683_v2022-04-05"
},
{
"@id": "d3f:CCI-001684_v2022-04-05"
},
{
"@id": "d3f:CCI-001685_v2022-04-05"
},
{
"@id": "d3f:CCI-001686_v2022-04-05"
},
{
"@id": "d3f:CCI-001695_v2022-04-05"
},
{
"@id": "d3f:CCI-001744_v2022-04-05"
},
{
"@id": "d3f:CCI-001749_v2022-04-05"
},
{
"@id": "d3f:CCI-001762_v2022-04-05"
},
{
"@id": "d3f:CCI-001764_v2022-04-05"
},
{
"@id": "d3f:CCI-001767_v2022-04-05"
},
{
"@id": "d3f:CCI-001774_v2022-04-05"
},
{
"@id": "d3f:CCI-001811_v2022-04-05"
},
{
"@id": "d3f:CCI-001812_v2022-04-05"
},
{
"@id": "d3f:CCI-001813_v2022-04-05"
},
{
"@id": "d3f:CCI-001855_v2022-04-05"
},
{
"@id": "d3f:CCI-001858_v2022-04-05"
},
{
"@id": "d3f:CCI-001936_v2022-04-05"
},
{
"@id": "d3f:CCI-001937_v2022-04-05"
},
{
"@id": "d3f:CCI-001941_v2022-04-05"
},
{
"@id": "d3f:CCI-001953_v2022-04-05"
},
{
"@id": "d3f:CCI-001954_v2022-04-05"
},
{
"@id": "d3f:CCI-001957_v2022-04-05"
},
{
"@id": "d3f:CCI-001991_v2022-04-05"
},
{
"@id": "d3f:CCI-002005_v2022-04-05"
},
{
"@id": "d3f:CCI-002009_v2022-04-05"
},
{
"@id": "d3f:CCI-002010_v2022-04-05"
},
{
"@id": "d3f:CCI-002015_v2022-04-05"
},
{
"@id": "d3f:CCI-002016_v2022-04-05"
},
{
"@id": "d3f:CCI-002041_v2022-04-05"
},
{
"@id": "d3f:CCI-002145_v2022-04-05"
},
{
"@id": "d3f:CCI-002165_v2022-04-05"
},
{
"@id": "d3f:CCI-002169_v2022-04-05"
},
{
"@id": "d3f:CCI-002178_v2022-04-05"
},
{
"@id": "d3f:CCI-002179_v2022-04-05"
},
{
"@id": "d3f:CCI-002201_v2022-04-05"
},
{
"@id": "d3f:CCI-002205_v2022-04-05"
},
{
"@id": "d3f:CCI-002207_v2022-04-05"
},
{
"@id": "d3f:CCI-002211_v2022-04-05"
},
{
"@id": "d3f:CCI-002218_v2022-04-05"
},
{
"@id": "d3f:CCI-002233_v2022-04-05"
},
{
"@id": "d3f:CCI-002235_v2022-04-05"
},
{
"@id": "d3f:CCI-002238_v2022-04-05"
},
{
"@id": "d3f:CCI-002262_v2022-04-05"
},
{
"@id": "d3f:CCI-002263_v2022-04-05"
},
{
"@id": "d3f:CCI-002264_v2022-04-05"
},
{
"@id": "d3f:CCI-002272_v2022-04-05"
},
{
"@id": "d3f:CCI-002277_v2022-04-05"
},
{
"@id": "d3f:CCI-002281_v2022-04-05"
},
{
"@id": "d3f:CCI-002282_v2022-04-05"
},
{
"@id": "d3f:CCI-002283_v2022-04-05"
},
{
"@id": "d3f:CCI-002284_v2022-04-05"
},
{
"@id": "d3f:CCI-002289_v2022-04-05"
},
{
"@id": "d3f:CCI-002290_v2022-04-05"
},
{
"@id": "d3f:CCI-002302_v2022-04-05"
},
{
"@id": "d3f:CCI-002306_v2022-04-05"
},
{
"@id": "d3f:CCI-002307_v2022-04-05"
},
{
"@id": "d3f:CCI-002308_v2022-04-05"
},
{
"@id": "d3f:CCI-002309_v2022-04-05"
},
{
"@id": "d3f:CCI-002322_v2022-04-05"
},
{
"@id": "d3f:CCI-002346_v2022-04-05"
},
{
"@id": "d3f:CCI-002347_v2022-04-05"
},
{
"@id": "d3f:CCI-002353_v2022-04-05"
},
{
"@id": "d3f:CCI-002355_v2022-04-05"
},
{
"@id": "d3f:CCI-002357_v2022-04-05"
},
{
"@id": "d3f:CCI-002358_v2022-04-05"
},
{
"@id": "d3f:CCI-002359_v2022-04-05"
},
{
"@id": "d3f:CCI-002361_v2022-04-05"
},
{
"@id": "d3f:CCI-002363_v2022-04-05"
},
{
"@id": "d3f:CCI-002364_v2022-04-05"
},
{
"@id": "d3f:CCI-002381_v2022-04-05"
},
{
"@id": "d3f:CCI-002382_v2022-04-05"
},
{
"@id": "d3f:CCI-002384_v2022-04-05"
},
{
"@id": "d3f:CCI-002385_v2022-04-05"
},
{
"@id": "d3f:CCI-002394_v2022-04-05"
},
{
"@id": "d3f:CCI-002397_v2022-04-05"
},
{
"@id": "d3f:CCI-002400_v2022-04-05"
},
{
"@id": "d3f:CCI-002403_v2022-04-05"
},
{
"@id": "d3f:CCI-002409_v2022-04-05"
},
{
"@id": "d3f:CCI-002411_v2022-04-05"
},
{
"@id": "d3f:CCI-002420_v2022-04-05"
},
{
"@id": "d3f:CCI-002421_v2022-04-05"
},
{
"@id": "d3f:CCI-002422_v2022-04-05"
},
{
"@id": "d3f:CCI-002423_v2022-04-05"
},
{
"@id": "d3f:CCI-002425_v2022-04-05"
},
{
"@id": "d3f:CCI-002426_v2022-04-05"
},
{
"@id": "d3f:CCI-002460_v2022-04-05"
},
{
"@id": "d3f:CCI-002462_v2022-04-05"
},
{
"@id": "d3f:CCI-002463_v2022-04-05"
},
{
"@id": "d3f:CCI-002464_v2022-04-05"
},
{
"@id": "d3f:CCI-002465_v2022-04-05"
},
{
"@id": "d3f:CCI-002466_v2022-04-05"
},
{
"@id": "d3f:CCI-002467_v2022-04-05"
},
{
"@id": "d3f:CCI-002468_v2022-04-05"
},
{
"@id": "d3f:CCI-002470_v2022-04-05"
},
{
"@id": "d3f:CCI-002475_v2022-04-05"
},
{
"@id": "d3f:CCI-002476_v2022-04-05"
},
{
"@id": "d3f:CCI-002530_v2022-04-05"
},
{
"@id": "d3f:CCI-002531_v2022-04-05"
},
{
"@id": "d3f:CCI-002533_v2022-04-05"
},
{
"@id": "d3f:CCI-002536_v2022-04-05"
},
{
"@id": "d3f:CCI-002546_v2022-04-05"
},
{
"@id": "d3f:CCI-002605_v2022-04-05"
},
{
"@id": "d3f:CCI-002607_v2022-04-05"
},
{
"@id": "d3f:CCI-002613_v2022-04-05"
},
{
"@id": "d3f:CCI-002614_v2022-04-05"
},
{
"@id": "d3f:CCI-002617_v2022-04-05"
},
{
"@id": "d3f:CCI-002618_v2022-04-05"
},
{
"@id": "d3f:CCI-002630_v2022-04-05"
},
{
"@id": "d3f:CCI-002631_v2022-04-05"
},
{
"@id": "d3f:CCI-002661_v2022-04-05"
},
{
"@id": "d3f:CCI-002662_v2022-04-05"
},
{
"@id": "d3f:CCI-002684_v2022-04-05"
},
{
"@id": "d3f:CCI-002688_v2022-04-05"
},
{
"@id": "d3f:CCI-002689_v2022-04-05"
},
{
"@id": "d3f:CCI-002690_v2022-04-05"
},
{
"@id": "d3f:CCI-002691_v2022-04-05"
},
{
"@id": "d3f:CCI-002710_v2022-04-05"
},
{
"@id": "d3f:CCI-002711_v2022-04-05"
},
{
"@id": "d3f:CCI-002712_v2022-04-05"
},
{
"@id": "d3f:CCI-002715_v2022-04-05"
},
{
"@id": "d3f:CCI-002716_v2022-04-05"
},
{
"@id": "d3f:CCI-002717_v2022-04-05"
},
{
"@id": "d3f:CCI-002718_v2022-04-05"
},
{
"@id": "d3f:CCI-002723_v2022-04-05"
},
{
"@id": "d3f:CCI-002724_v2022-04-05"
},
{
"@id": "d3f:CCI-002726_v2022-04-05"
},
{
"@id": "d3f:CCI-002729_v2022-04-05"
},
{
"@id": "d3f:CCI-002740_v2022-04-05"
},
{
"@id": "d3f:CCI-002743_v2022-04-05"
},
{
"@id": "d3f:CCI-002746_v2022-04-05"
},
{
"@id": "d3f:CCI-002748_v2022-04-05"
},
{
"@id": "d3f:CCI-002749_v2022-04-05"
},
{
"@id": "d3f:CCI-002771_v2022-04-05"
},
{
"@id": "d3f:CCI-002824_v2022-04-05"
},
{
"@id": "d3f:CCI-002883_v2022-04-05"
},
{
"@id": "d3f:CCI-002890_v2022-04-05"
},
{
"@id": "d3f:CCI-002891_v2022-04-05"
},
{
"@id": "d3f:CCI-003014_v2022-04-05"
},
{
"@id": "d3f:CCI-003123_v2022-04-05"
}
],
"d3f:version": "2022-04-05",
"rdfs:label": "CCI Catalog v2022-04-05",
"rdfs:seeAlso": {
"@id": "https://public.cyber.mil/stigs/cci/"
}
},
{
"@id": "d3f:Density-basedClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DBC",
"d3f:definition": "Density-based clustering connects areas of high example density into clusters. This allows for arbitrary-shaped distributions as long as dense areas can be connected.",
"d3f:kb-article": "## References\nGoogle Developers. (n.d.). Clustering algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)",
"rdfs:label": "Density-based Clustering",
"rdfs:subClassOf": {
"@id": "d3f:ClusterAnalysis"
}
},
{
"@id": "d3f:WindowsNtResumeThread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"rdfs:label": "Windows NtResumeThread",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIResumeThread"
}
},
{
"@id": "d3f:AccessControlEvent",
"@type": "owl:Class",
"d3f:definition": "An event that captures the implementation or evaluation of access control measures, including the application of rules and policies to govern the accessibility of resources by agents within a digital system.",
"rdfs:label": "Access Control Event",
"rdfs:subClassOf": [
{
"@id": "d3f:AuthorizationEvent"
},
{
"@id": "_:N6cb865fafefe43399e5351d270dc052b"
}
]
},
{
"@id": "_:N6cb865fafefe43399e5351d270dc052b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessControlConfiguration"
}
},
{
"@id": "d3f:T1562.010",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:LegacySystem"
},
"d3f:attack-id": "T1562.010",
"d3f:definition": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.",
"rdfs:label": "Downgrade Attack",
"rdfs:subClassOf": [
{
"@id": "d3f:T1562"
},
{
"@id": "_:Na5138787c8564990a9edebd057600f6f"
}
]
},
{
"@id": "_:Na5138787c8564990a9edebd057600f6f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:LegacySystem"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3_4",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Malicious Code Protection | Updates Only by Privileged Users",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:LocalFilePermissions"
},
{
"@id": "d3f:SystemConfigurationPermissions"
}
],
"rdfs:label": "SI-3(4)"
},
{
"@id": "d3f:StackComponent",
"@type": "owl:Class",
"d3f:definition": "A stack component is any component of a call stack used for stack-based memory allocation in a running process. Examples include saved instruction pointers, stack frames, and stack frame canaries.",
"rdfs:label": "Stack Component",
"rdfs:seeAlso": {
"@id": "dbr:Call_stack"
},
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:CWE-512",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-512",
"d3f:definition": "The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.",
"rdfs:label": "Spyware",
"rdfs:subClassOf": {
"@id": "d3f:CWE-506"
}
},
{
"@id": "d3f:process-user",
"@type": "owl:ObjectProperty",
"d3f:definition": "x process-user y: The process x has been executed by the user y.",
"rdfs:label": "process-user",
"rdfs:subPropertyOf": {
"@id": "d3f:process-property"
},
"skos:altLabel": "processUser"
},
{
"@id": "d3f:EpistemicLogic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-EL",
"d3f:definition": "Epistemic logic addresses modalities of knowledge; i.e., the certainty of sentences.",
"d3f:kb-article": "## References\n1. Epistemic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Epistemic_logic)",
"d3f:synonym": "Epistemic Modal Logic",
"rdfs:label": "Epistemic Logic",
"rdfs:subClassOf": {
"@id": "d3f:ModalLogic"
}
},
{
"@id": "d3f:LinuxPtraceArgumentPTRACESETREGS",
"@type": "owl:Class",
"d3f:definition": "Modify the tracee's general-purpose or floating-point registers, respectively, from the address data in the tracer.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
},
"rdfs:label": "Linux Ptrace Argument PTRACE_SETREGS",
"rdfs:subClassOf": {
"@id": "d3f:OSAPISetRegisters"
}
},
{
"@id": "d3f:CWE-1049",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1049",
"d3f:definition": "The product performs a data query with a large number of joins and sub-queries on a large data table.",
"rdfs:label": "Excessive Data Query Operations in a Large Data Table",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1176"
}
},
{
"@id": "d3f:Reference-IntroducingFirefoxNewSiteIsolationArchitecture",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture/"
},
"d3f:kb-abstract": "",
"d3f:kb-author": "Anny Gakhokidze",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Mozilla Foundation",
"d3f:kb-reference-of": {
"@id": "d3f:Application-basedProcessIsolation"
},
"d3f:kb-reference-title": "Site Isolation Design Document",
"d3f:release-date": "May 18, 2021",
"rdfs:label": "Reference - Introducing Firefox's new Site Isolation Architecture"
},
{
"@id": "d3f:PasswordAuthentication",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:PasswordAuthentication"
],
"d3f:d3fend-id": "D3-PWA",
"d3f:definition": "Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity.",
"d3f:kb-reference": {
"@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
},
"d3f:uses": {
"@id": "d3f:Password"
},
"rdfs:label": "Password Authentication",
"rdfs:subClassOf": [
{
"@id": "d3f:AgentAuthentication"
},
{
"@id": "_:Ne54dbb6c8f144b1a9c65fd53de7bd3ff"
}
]
},
{
"@id": "_:Ne54dbb6c8f144b1a9c65fd53de7bd3ff",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:uses"
},
"owl:someValuesFrom": {
"@id": "d3f:Password"
}
},
{
"@id": "d3f:deceives-with",
"@type": "owl:ObjectProperty",
"d3f:definition": "x deceives-with y: The entity x misleads or manipulates another entity using y as a tool, method, or mechanism to create false perceptions or understanding.",
"rdfs:label": "deceives-with",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-tactical-verb-property"
}
},
{
"@id": "d3f:CCI-001764_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:ExecutableAllowlisting"
},
{
"@id": "d3f:ExecutableDenylisting"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-02-28T00:00:00"
},
"rdfs:label": "CCI-001764"
},
{
"@id": "d3f:CWE-696",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-696",
"d3f:definition": "The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.",
"rdfs:label": "Incorrect Behavior Order",
"rdfs:subClassOf": {
"@id": "d3f:CWE-691"
}
},
{
"@id": "d3f:CWE-793",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-793",
"d3f:definition": "The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.",
"rdfs:label": "Only Filtering One Instance of a Special Element",
"rdfs:subClassOf": {
"@id": "d3f:CWE-792"
}
},
{
"@id": "d3f:StackFrame",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A machine-dependent and application-binary-dependent (ABI-dependent) data structure containing subroutine state information including the arguments passed into the routine, the return address back to the routine's caller, and space for local variables of the routine.",
"d3f:may-contain": [
{
"@id": "d3f:Pointer"
},
{
"@id": "d3f:StackFrameCanary"
}
],
"rdfs:isDefinedBy": {
"@id": "http://dbpedia.org/resource/Call_stack#Structure"
},
"rdfs:label": "Stack Frame",
"rdfs:seeAlso": {
"@id": "dbr:Call_stack"
},
"rdfs:subClassOf": [
{
"@id": "d3f:StackComponent"
},
{
"@id": "_:N032df01d179447538d77a20106f83e51"
},
{
"@id": "_:Nf23332d9d76f44c8b9c2761be4b0bc7c"
}
],
"skos:altLabel": [
"Activation Frame",
"Activation Record"
]
},
{
"@id": "_:N032df01d179447538d77a20106f83e51",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:Pointer"
}
},
{
"@id": "_:Nf23332d9d76f44c8b9c2761be4b0bc7c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:StackFrameCanary"
}
},
{
"@id": "d3f:ResumeProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:resumes": {
"@id": "d3f:Process"
},
"rdfs:label": "Resume Process",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N5d376c8b440441d3864735bf60756d66"
}
]
},
{
"@id": "_:N5d376c8b440441d3864735bf60756d66",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:resumes"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:CloudUserAccount",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A user account on a given host is a local user account for a given cloud and specified resources within that cloud.",
"rdfs:label": "Cloud User Account",
"rdfs:subClassOf": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:CWE-1189",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1189",
"d3f:definition": "The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.",
"rdfs:label": "Improper Isolation of Shared Resources on System-on-a-Chip (SoC)",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-653"
},
{
"@id": "d3f:CWE-668"
}
]
},
{
"@id": "d3f:CWE-367",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-367",
"d3f:definition": "The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.",
"d3f:synonym": [
"TOCCTOU",
"TOCTTOU"
],
"rdfs:label": "Time-of-check Time-of-use (TOCTOU) Race Condition",
"rdfs:subClassOf": {
"@id": "d3f:CWE-362"
}
},
{
"@id": "d3f:Server",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In computing, a server is a piece of computer hardware or software (computer program) that provides functionality for other programs or devices, called \"clients\". This architecture is called the client-server model. Servers can provide various functionalities, often called \"services\", such as sharing data or resources among multiple clients, or performing computation for a client. A single server can serve multiple clients, and a single client can use multiple servers. A client process may run on the same device or may connect over a network to a server on a different device. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers.",
"d3f:manages": {
"@id": "d3f:ServiceApplicationProcess"
},
"d3f:runs": {
"@id": "d3f:ServiceApplication"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Server_(computing)"
},
"rdfs:label": "Server",
"rdfs:subClassOf": [
{
"@id": "d3f:Host"
},
{
"@id": "_:Na452513805e140d4aba8f485e7de96ea"
},
{
"@id": "_:N6bb3db82681c44ec9744adfbceb31ef0"
}
]
},
{
"@id": "_:Na452513805e140d4aba8f485e7de96ea",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:manages"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceApplicationProcess"
}
},
{
"@id": "_:N6bb3db82681c44ec9744adfbceb31ef0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:runs"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:LogonEvent",
"@type": "owl:Class",
"d3f:definition": "An authentication event where a new session is initiated, signifying the successful validation of credentials and establishment of an authorized connection to a system, application, or resource. This marks the beginning of the subject’s authenticated interaction with the system.",
"rdfs:label": "Logon Event",
"rdfs:subClassOf": [
{
"@id": "d3f:AuthenticationEvent"
},
{
"@id": "_:N93bfcb735ca842ab9a2fcea2f7831419"
}
]
},
{
"@id": "_:N93bfcb735ca842ab9a2fcea2f7831419",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:Session"
}
},
{
"@id": "d3f:NetworkEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving network communications within or between digital systems.",
"rdfs:label": "Network Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/categories/network"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalEvent"
},
{
"@id": "_:Ne65940e2dafc4b5a862d3347a160f59a"
}
]
},
{
"@id": "_:Ne65940e2dafc4b5a862d3347a160f59a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "d3f:CWE-1330",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1330",
"d3f:definition": "Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.",
"rdfs:label": "Remanent Data Readable after Memory Erase",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1301"
}
},
{
"@id": "d3f:CCI-000040_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:AuthorizationEventThresholding"
},
{
"@id": "d3f:LocalAccountMonitoring"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-14T00:00:00"
},
"rdfs:label": "CCI-000040"
},
{
"@id": "d3f:T1592.004",
"@type": "owl:Class",
"d3f:attack-id": "T1592.004",
"d3f:definition": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.",
"rdfs:label": "Client Configurations",
"rdfs:subClassOf": {
"@id": "d3f:T1592"
}
},
{
"@id": "d3f:CCI-001400_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in process.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001400"
},
{
"@id": "d3f:Reference-PrivacyAndSecuritySystemsAndMethodsOfUse",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US10128890B2/en"
},
"d3f:kb-author": "Teddy David Thomas",
"d3f:kb-reference-title": "Privacy and security systems and methods of use",
"rdfs:label": "Reference - Privacy and security systems and methods of use"
},
{
"@id": "d3f:T1137.005",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1137.005",
"d3f:definition": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)",
"d3f:modifies": {
"@id": "d3f:ApplicationConfigurationDatabase"
},
"rdfs:label": "Outlook Rules",
"rdfs:subClassOf": [
{
"@id": "d3f:T1137"
},
{
"@id": "_:N817cfb6b5960496fbcfc66794291e289"
}
]
},
{
"@id": "_:N817cfb6b5960496fbcfc66794291e289",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ApplicationConfigurationDatabase"
}
},
{
"@id": "d3f:CWE-347",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-347",
"d3f:definition": "The product does not verify, or incorrectly verifies, the cryptographic signature for data.",
"rdfs:label": "Improper Verification of Cryptographic Signature",
"rdfs:subClassOf": {
"@id": "d3f:CWE-345"
}
},
{
"@id": "d3f:CWE-909",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-909",
"d3f:definition": "The product does not initialize a critical resource.",
"rdfs:label": "Missing Initialization of Resource",
"rdfs:subClassOf": {
"@id": "d3f:CWE-665"
}
},
{
"@id": "d3f:DigitalInformation",
"@type": "owl:Class",
"d3f:definition": "Digital information is a broad category of encoded representations in digital form that convey meaning, instructions, or functionality.",
"rdfs:label": "Digital Information",
"rdfs:subClassOf": {
"@id": "d3f:DigitalArtifact"
}
},
{
"@id": "d3f:T1547.009",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1547.009",
"d3f:definition": "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.",
"d3f:may-modify": [
{
"@id": "d3f:SymbolicLink"
},
{
"@id": "d3f:UserStartupScriptFile"
}
],
"rdfs:label": "Shortcut Modification",
"rdfs:subClassOf": [
{
"@id": "d3f:T1547"
},
{
"@id": "_:Na45f9dafe8d2414f8e967a41fc9b1541"
},
{
"@id": "_:N2287110b419f493085e8ea613bc056fe"
}
]
},
{
"@id": "_:Na45f9dafe8d2414f8e967a41fc9b1541",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:SymbolicLink"
}
},
{
"@id": "_:N2287110b419f493085e8ea613bc056fe",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:UserStartupScriptFile"
}
},
{
"@id": "d3f:CWE-1296",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1296",
"d3f:definition": "The product's debug components contain incorrect chaining or granularity of debug components.",
"rdfs:label": "Incorrect Chaining or Granularity of Debug Components",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:CWE-550",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-550",
"d3f:definition": "Certain conditions, such as network failure, will cause a server error message to be displayed.",
"rdfs:label": "Server-generated Error Message Containing Sensitive Information",
"rdfs:subClassOf": {
"@id": "d3f:CWE-209"
}
},
{
"@id": "d3f:WindowsRegistryKeyCreationEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a new registry key is added to the Windows Registry, establishing a new hierarchical node for configuration.",
"rdfs:label": "Windows Registry Key Creation Event",
"rdfs:subClassOf": [
{
"@id": "d3f:WindowsRegistryKeyEvent"
},
{
"@id": "_:Nf64af70b13c2450889aaf4ed05f37aa8"
}
]
},
{
"@id": "_:Nf64af70b13c2450889aaf4ed05f37aa8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsRegistryKeyImportEvent"
}
},
{
"@id": "d3f:Agent",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An entity capable of performing intentional actions.",
"rdfs:label": "Agent",
"rdfs:subClassOf": {
"@id": "d3f:D3FENDCore"
}
},
{
"@id": "d3f:CCI-002411_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:Hardware-basedProcessIsolation"
},
{
"@id": "d3f:IOPortRestriction"
},
{
"@id": "d3f:Kernel-basedProcessIsolation"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002411"
},
{
"@id": "d3f:CWE-441",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-441",
"d3f:definition": "The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.",
"d3f:synonym": "Confused Deputy",
"rdfs:label": "Unintended Proxy or Intermediary ('Confused Deputy')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-610"
}
},
{
"@id": "d3f:restricted-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x restricted-by y: The entity x is limited, constrained, or regulated by entity y.",
"owl:inverseOf": {
"@id": "d3f:restricts"
},
"rdfs:label": "restricted-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:ProductDeveloper",
"@type": "owl:Class",
"d3f:definition": "A product developer intentionally designs, creates, or improves products, which may include physical goods, software, or other outputs.",
"rdfs:label": "Product Developer",
"rdfs:subClassOf": {
"@id": "d3f:Provider"
}
},
{
"@id": "d3f:CWE-280",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-280",
"d3f:definition": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.",
"rdfs:label": "Improper Handling of Insufficient Permissions or Privileges",
"rdfs:subClassOf": {
"@id": "d3f:CWE-755"
}
},
{
"@id": "d3f:ApplicationInstaller",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An application installer is a user application designed to install, configure, and deploy another application.",
"rdfs:label": "Application Installer",
"rdfs:subClassOf": {
"@id": "d3f:UserApplication"
}
},
{
"@id": "d3f:T1036.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1036.006",
"d3f:creates": {
"@id": "d3f:File"
},
"d3f:definition": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.",
"rdfs:label": "Space after Filename",
"rdfs:subClassOf": [
{
"@id": "d3f:T1036"
},
{
"@id": "_:N3f6713d187dc4a48a18181f0edf6bf21"
}
]
},
{
"@id": "_:N3f6713d187dc4a48a18181f0edf6bf21",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:CWE-923",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-923",
"d3f:definition": "The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.",
"rdfs:label": "Improper Restriction of Communication Channel to Intended Endpoints",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:CWE-1431",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1431",
"d3f:definition": "The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result).",
"rdfs:label": "Driving Intermediate Cryptographic State/Results to Hardware Module Outputs",
"rdfs:subClassOf": {
"@id": "d3f:CWE-200"
}
},
{
"@id": "d3f:obfuscates",
"@type": "owl:ObjectProperty",
"d3f:definition": "x obfuscates y: The technique x makes the digital artifact y unclear or obscure. Typically obfuscation is a way to hide a digital artifact from discovery, use, or both.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00942245-v"
},
"rdfs:label": "obfuscates",
"rdfs:seeAlso": {
"@id": "dbr:Obfuscation_(software)"
},
"rdfs:subPropertyOf": [
{
"@id": "d3f:evicts"
},
{
"@id": "d3f:modifies"
}
]
},
{
"@id": "d3f:MSGEmailFile",
"@type": [
"owl:NamedIndividual",
"d3f:Email"
],
"rdfs:label": "MSG Email File"
},
{
"@id": "d3f:CWE-824",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-824",
"d3f:definition": "The product accesses or uses a pointer that has not been initialized.",
"d3f:weakness-of": {
"@id": "d3f:PointerDereferencingFunction"
},
"rdfs:label": "Access of Uninitialized Pointer",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-119"
},
{
"@id": "_:N47b34a9c53364033a4369447e1f59233"
}
]
},
{
"@id": "_:N47b34a9c53364033a4369447e1f59233",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:PointerDereferencingFunction"
}
},
{
"@id": "d3f:WirelessAttacker",
"@type": "owl:Class",
"d3f:definition": "An attacker who targets wireless communication methods, like Wi-Fi, without needing physical access to the premises.",
"rdfs:label": "Wireless Attacker",
"rdfs:subClassOf": [
{
"@id": "d3f:RemoteAttacker"
},
{
"@id": "_:N9191e5c634eb4f7f9e11610768c10433"
},
{
"@id": "_:Nc0afb26ea98e4a81b36202b3f72bee43"
},
{
"@id": "_:N2d84deff8a6046b0805c453506856e88"
}
]
},
{
"@id": "_:N9191e5c634eb4f7f9e11610768c10433",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:PhysicalLink"
}
},
{
"@id": "_:Nc0afb26ea98e4a81b36202b3f72bee43",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:WirelessAccessPoint"
}
},
{
"@id": "_:N2d84deff8a6046b0805c453506856e88",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:WirelessRouter"
}
},
{
"@id": "d3f:LinuxMmap",
"@type": "owl:Class",
"d3f:definition": "Map files or devices into memory.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/mmap.2.html"
},
"rdfs:label": "Linux Mmap",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIAllocateMemory"
}
},
{
"@id": "d3f:T1504",
"@type": "owl:Class",
"d3f:attack-id": "T1504",
"d3f:definition": "Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1546.013",
"rdfs:label": "PowerShell Profile",
"rdfs:seeAlso": "T1546.013",
"rdfs:subClassOf": [
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:T1567",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1567",
"d3f:definition": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.",
"d3f:produces": {
"@id": "d3f:OutboundInternetWebTraffic"
},
"rdfs:label": "Exfiltration Over Web Service",
"rdfs:subClassOf": [
{
"@id": "d3f:ExfiltrationTechnique"
},
{
"@id": "_:N7e6dffdd463a4d2882a88dbd2a86fa7b"
}
]
},
{
"@id": "_:N7e6dffdd463a4d2882a88dbd2a86fa7b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetWebTraffic"
}
},
{
"@id": "d3f:WindowsCreateRemoteThread",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Creates a thread that runs in the virtual address space of another process.",
"d3f:invokes": {
"@id": "d3f:WindowsNtCreateThreadEx"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread"
},
"rdfs:label": "Windows CreateRemoteThread",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPICreateThread"
},
{
"@id": "_:Ncda03c7ec742483da41a8a29e50b1bfa"
}
]
},
{
"@id": "_:Ncda03c7ec742483da41a8a29e50b1bfa",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtCreateThreadEx"
}
},
{
"@id": "d3f:T1077",
"@type": "owl:Class",
"d3f:attack-id": "T1077",
"d3f:definition": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1021.002",
"rdfs:label": "Windows Admin Shares",
"rdfs:seeAlso": "T1021.002",
"rdfs:subClassOf": {
"@id": "d3f:LateralMovementTechnique"
}
},
{
"@id": "d3f:CWE-775",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-775",
"d3f:definition": "The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.",
"rdfs:label": "Missing Release of File Descriptor or Handle after Effective Lifetime",
"rdfs:subClassOf": {
"@id": "d3f:CWE-772"
}
},
{
"@id": "d3f:OTConnectionCommand",
"@type": "owl:Class",
"d3f:definition": "Establish a network connection with a device.",
"rdfs:comment": [
"BACnet: vtOpen\nBACnet: vtClose ",
"ENIP: Register Session\nENIP: Unregister Session"
],
"rdfs:label": "OT Connection Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTNetworkManagementCommand"
}
},
{
"@id": "d3f:LinuxUnlinkat",
"@type": "owl:Class",
"d3f:definition": "Delete a name and possibly the file it refers to. Different parameter handling than Linux Unlink",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/unlinkat.2.html"
},
"rdfs:label": "Linux Unlinkat",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIDeleteFile"
}
},
{
"@id": "d3f:CWE-1312",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1312",
"d3f:definition": "The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.",
"rdfs:label": "Missing Protection for Mirrored Regions in On-Chip Fabric Firewall",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:CWE-454",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-454",
"d3f:definition": "The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.",
"rdfs:label": "External Initialization of Trusted Variables or Data Stores",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1419"
},
{
"@id": "d3f:CWE-665"
}
]
},
{
"@id": "d3f:T1543.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1543.002",
"d3f:definition": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.",
"d3f:may-create": {
"@id": "d3f:OperatingSystemConfigurationFile"
},
"d3f:may-modify": {
"@id": "d3f:OperatingSystemConfigurationFile"
},
"rdfs:label": "Systemd Service",
"rdfs:subClassOf": [
{
"@id": "d3f:T1543"
},
{
"@id": "_:Nb14ad9e459cc4db99f743be461eefa43"
},
{
"@id": "_:Nd989254781724c1a9696cc6168b5ad16"
}
]
},
{
"@id": "_:Nb14ad9e459cc4db99f743be461eefa43",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemConfigurationFile"
}
},
{
"@id": "_:Nd989254781724c1a9696cc6168b5ad16",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemConfigurationFile"
}
},
{
"@id": "d3f:T1181",
"@type": "owl:Class",
"d3f:attack-id": "T1181",
"d3f:definition": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1055.011",
"rdfs:label": "Extra Window Memory Injection",
"rdfs:seeAlso": "T1055.011",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:IndirectBranchCallAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IndirectBranchCallAnalysis"
],
"d3f:d3fend-id": "D3-IBCA",
"d3f:definition": "Analyzing vendor specific branch call recording in order to detect ROP style attacks.",
"d3f:kb-article": "## How it works\n\nThis technique is used to detect an attacker attempting to exploit and execute code on a target system's call stack using return-oriented programming (ROP). Modern processors that have the ability to maintain a list of the branching calls, e.g., Intel's Last Branch Recording (LBR), can be used to track and analyze indirect branching calls that are indicative of malicious activity.\n\nIn order to reduce the number of indirect branch calls to analyze to a manageable set it is assumed that malicious ROP activity will involve the use of system calls. The technique observes indirect branch calls that are part of paths that lead to system calls, all others are ignored. Branching calls chained together is often referred to as gadgets and gadgets are often used in ROP attacks. Indirect branch calls that involve a transfer from user-space to kernel-space are of interest for this technique.\n\nIdentification of potential ROP exploit execution includes:\n\n- Inspecting the LBR when a system function call is made\n\n - The LBR is configured to return only instruction of interest (ret, indirect jmp, indirect calls)\n\n\n- Behavior is analyzed for\n - Ret instructions that appear to target areas not preceded by the call sites\n - Sequences of small code fragments that appear to be chained through the indirect branching calls (gadgets)\n\n\n- Of interest are returns that appear to not render control back after calls\n - Typical ret-call are paired\n - gadgets will appear to have ret followed by instruction of next instruction of the following gadget\n\n\n## Considerations\n\n* May be operating system dependent since specific system calls are used to scope branching behavoir\n* Processors need to support access to a Last Branch Recording list feature\n* The size of the LBR stack can limit the expected size of the analyzed execution stack\n* If processor does not support LBR then overhead costs for the analysis can be significant",
"d3f:kb-reference": {
"@id": "d3f:Reference-IndirectBranchingCalls"
},
"rdfs:label": "Indirect Branch Call Analysis",
"rdfs:subClassOf": {
"@id": "d3f:ProcessAnalysis"
}
},
{
"@id": "d3f:OTDeviceManagementMessage",
"@type": "owl:Class",
"d3f:definition": "Manage devices and their configurations.",
"rdfs:label": "OT Device Management Message",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTProtocolMessage"
}
},
{
"@id": "d3f:CWE-598",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-598",
"d3f:definition": "The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.",
"rdfs:label": "Use of GET Request Method With Sensitive Query Strings",
"rdfs:subClassOf": {
"@id": "d3f:CWE-201"
}
},
{
"@id": "d3f:M1018",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:LocalFilePermissions"
},
{
"@id": "d3f:SystemCallFiltering"
},
{
"@id": "d3f:SystemConfigurationPermissions"
}
],
"rdfs:label": "User Account Management"
},
{
"@id": "d3f:T1127",
"@type": "owl:Class",
"d3f:attack-id": "T1127",
"d3f:definition": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
"rdfs:label": "Trusted Developer Utilities Proxy Execution",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:AssetVulnerabilityEnumeration",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:AssetVulnerabilityEnumeration"
],
"d3f:d3fend-id": "D3-AVE",
"d3f:definition": "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.",
"d3f:evaluates": [
{
"@id": "d3f:PhysicalArtifact"
},
{
"@id": "d3f:Software"
}
],
"d3f:identifies": {
"@id": "d3f:Vulnerability"
},
"d3f:kb-reference": [
{
"@id": "d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem"
},
{
"@id": "d3f:Reference-SecurityVulnerabilityInformationAggregation"
},
{
"@id": "d3f:Reference-SystemAndMethodForVulnerabilityRiskAssessment"
}
],
"rdfs:label": "Asset Vulnerability Enumeration",
"rdfs:subClassOf": [
{
"@id": "d3f:AssetInventory"
},
{
"@id": "_:Nce7a3bc6c6c747479dbbd6ae88cf40d6"
},
{
"@id": "_:N8c12e1a588c14662af2ad93596102e8b"
},
{
"@id": "_:Nbafc1dc005b743029877a9f548913e39"
}
]
},
{
"@id": "_:Nce7a3bc6c6c747479dbbd6ae88cf40d6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:evaluates"
},
"owl:someValuesFrom": {
"@id": "d3f:PhysicalArtifact"
}
},
{
"@id": "_:N8c12e1a588c14662af2ad93596102e8b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:evaluates"
},
"owl:someValuesFrom": {
"@id": "d3f:Software"
}
},
{
"@id": "_:Nbafc1dc005b743029877a9f548913e39",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:identifies"
},
"owl:someValuesFrom": {
"@id": "d3f:Vulnerability"
}
},
{
"@id": "d3f:SystemFileAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:SystemFileAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:OperatingSystemFile"
},
"d3f:d3fend-id": "D3-SFA",
"d3f:definition": "Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.",
"d3f:kb-article": "## How it works\nThis technique ensures the integrity of system owned file resources. System files can impact the behavior below the user level.\n\n\n## Considerations\n* Need to manage the size of log file analysis.\n* False positives are a concern with this technique and filtering will need to be given additional thought.\n* A baseline or snapshot of file checksums should be established for future comparison.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-AccessPermissionModification_MITRE"
},
{
"@id": "d3f:Reference-AutorunDifferences_MITRE"
},
{
"@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE"
}
],
"rdfs:label": "System File Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:OperatingSystemMonitoring"
},
{
"@id": "_:N86a6882de2114f0eaff6ca9b783e0f31"
}
]
},
{
"@id": "_:N86a6882de2114f0eaff6ca9b783e0f31",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingSystemFile"
}
},
{
"@id": "d3f:CWE-363",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-363",
"d3f:definition": "The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.",
"rdfs:label": "Race Condition Enabling Link Following",
"rdfs:subClassOf": {
"@id": "d3f:CWE-367"
}
},
{
"@id": "d3f:OTRemoteModeCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Command that places the controller in a mode capable of receiving read/write communication from a networked entity.",
"rdfs:label": "OT Remote Mode Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
},
{
"@id": "_:N22e89928f19f455db25b0289e784d462"
},
{
"@id": "_:N5e2c8a79bf1e47d888a4346ef757ad63"
},
{
"@id": "_:N77527a822cbe41c6bb9b91439cd6de64"
}
]
},
{
"@id": "_:N22e89928f19f455db25b0289e784d462",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "_:N5e2c8a79bf1e47d888a4346ef757ad63",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTRemoteModeCommand"
}
},
{
"@id": "_:N77527a822cbe41c6bb9b91439cd6de64",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingMode"
}
},
{
"@id": "d3f:CWE-606",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-606",
"d3f:definition": "The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.",
"rdfs:label": "Unchecked Input for Loop Condition",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1284"
}
},
{
"@id": "d3f:VirtualizationSoftware",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Virtualization software allows a single host computer to create and run one or more virtual environments. Virtualization software is most often used to emulate a complete computer system in order to allow a guest operating system to be run, for example allowing Linux to run as a guest on top of a PC that is natively running a Microsoft Windows operating system (or the inverse, running Windows as a guest on Linux).",
"rdfs:isDefinedBy": {
"@id": "dbr:Category:Virtualization_software"
},
"rdfs:label": "Virtualization Software",
"rdfs:subClassOf": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:T1036.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1036.002",
"d3f:definition": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)",
"d3f:modifies": {
"@id": "d3f:FileSystemMetadata"
},
"rdfs:label": "Right-to-Left Override",
"rdfs:subClassOf": [
{
"@id": "d3f:T1036"
},
{
"@id": "_:N676491eee3c247a399de6a21fb78a890"
}
]
},
{
"@id": "_:N676491eee3c247a399de6a21fb78a890",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:FileSystemMetadata"
}
},
{
"@id": "d3f:LinuxPtraceArgumentPTRACEINTERRUPT",
"@type": "owl:Class",
"d3f:definition": "Stops a tracee.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
},
"rdfs:label": "Linux Ptrace Argument PTRACE_INTERRUPT",
"rdfs:subClassOf": {
"@id": "d3f:OSAPISuspendProcess"
}
},
{
"@id": "d3f:CWE-1389",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1389",
"d3f:definition": "The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).",
"rdfs:label": "Incorrect Parsing of Numbers with Different Radices",
"rdfs:subClassOf": {
"@id": "d3f:CWE-704"
}
},
{
"@id": "d3f:CWE-821",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-821",
"d3f:definition": "The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.",
"rdfs:label": "Incorrect Synchronization",
"rdfs:subClassOf": {
"@id": "d3f:CWE-662"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_5",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Account Management | Inactivity Logout",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:related": {
"@id": "d3f:AccountLocking"
},
"rdfs:label": "AC-2(5)"
},
{
"@id": "d3f:CWE-488",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-488",
"d3f:definition": "The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.",
"rdfs:label": "Exposure of Data Element to Wrong Session",
"rdfs:subClassOf": {
"@id": "d3f:CWE-668"
}
},
{
"@id": "d3f:CCI-002890_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:EncryptedTunnels"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-22T00:00:00"
},
"rdfs:label": "CCI-002890"
},
{
"@id": "d3f:OutboundTrafficFiltering",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:OutboundTrafficFiltering"
],
"d3f:d3fend-id": "D3-OTF",
"d3f:definition": "Restricting network traffic originating from a private host or enclave destined towards untrusted networks.",
"d3f:filters": {
"@id": "d3f:OutboundNetworkTraffic"
},
"d3f:kb-article": "## How it works\n\nOutbound traffic, in this context, is network traffic originating from a private host or enclave destined towards untrusted networks.\nFor example:\n\n* An enterprise desktop intranet user connecting to www.example.com\n* An internal mail server connecting to an external mail server, mail.example.com\n\nFiltering is commonly implemented as firewall rulesets to limit outbound traffic permitted to egress a host or network. Firewalls are deployed either directly on hosts through kernel level software implementations or installed in-line directly on network links. There are benefits and disadvantages to each approach.\n\nThere are various strategies for developing filtering rulesets:\n\n* Block everything by default\n* Limit destination hosts\n* Limit destination transport or application protocols\n* Restrict content outbound (Ex. strings formatted as social security numbers, or proprietary data)\n\n## Considerations\n* Dynamic IP assignment creates challenges for Outbound Traffic Filtering because users are not necessarily associated with the same IP address. This can be addressed by linking IP address management information with the filtering logic.\n* Connections using non-standard transport layer ports may circumvent outbound traffic filtering technology which does not detect application protocol based on traffic content.\n* Business requirements typically drive the development of filtering rule sets.\n\n## Implementations\n- iptables (Linux)\n- Windows Firewall\n- pf (BSD)",
"d3f:kb-reference": {
"@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft"
},
"rdfs:label": "Outbound Traffic Filtering",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkTrafficFiltering"
},
{
"@id": "_:Nc4cbcf4a0f164710b05aef399519a582"
}
]
},
{
"@id": "_:Nc4cbcf4a0f164710b05aef399519a582",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundNetworkTraffic"
}
},
{
"@id": "d3f:T1062",
"@type": "owl:Class",
"d3f:attack-id": "T1062",
"d3f:definition": "**This technique has been deprecated and should no longer be used.**",
"owl:deprecated": true,
"rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
"rdfs:label": "Hypervisor",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:VariableInitialization",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3-VI",
"d3f:definition": "Setting variables to a known value before use.",
"d3f:hardens": {
"@id": "d3f:Subroutine"
},
"d3f:kb-article": "## How it Works\nInitializing variables upon declaration ensures that the variable has a known quantity before use.\n\n## Considerations\n* Default behavior when declaring variables varies by language.\n* This is particularly important in programming languages that do not initialize variables to a default value upon declaration. In these instances, the value that a variable will contain after declaration is indeterminate which can cause issues. In fact, that value could be different each time the program is ran.\n* Note: This resource should not be considered a definitive or exhaustive coding guideline.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CManualIntegerInitialization_GNU"
},
{
"@id": "d3f:Reference-VariableInitialization_CWE"
}
],
"rdfs:label": "Variable Initialization",
"rdfs:subClassOf": [
{
"@id": "d3f:SourceCodeHardening"
},
{
"@id": "_:N771944d4bb0b4643a53eb2462d23ac03"
}
]
},
{
"@id": "_:N771944d4bb0b4643a53eb2462d23ac03",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:hardens"
},
"owl:someValuesFrom": {
"@id": "d3f:Subroutine"
}
},
{
"@id": "d3f:T1074.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1074.001",
"d3f:definition": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
"d3f:may-create": {
"@id": "d3f:File"
},
"d3f:may-invoke": {
"@id": "d3f:CreateFile"
},
"rdfs:label": "Local Data Staging",
"rdfs:subClassOf": [
{
"@id": "d3f:T1074"
},
{
"@id": "_:N6d035165780344a282c6f3fd4c734da0"
},
{
"@id": "_:N66cd20827527472884e697aa1d7cbb5b"
}
]
},
{
"@id": "_:N6d035165780344a282c6f3fd4c734da0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "_:N66cd20827527472884e697aa1d7cbb5b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateFile"
}
},
{
"@id": "d3f:CCI-001200_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:DiskEncryption"
},
{
"@id": "d3f:FileEncryption"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001200"
},
{
"@id": "d3f:Dyna-Q",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DQ",
"d3f:definition": "A Dyna-Q agent combines acting, learning, and planning.",
"d3f:kb-article": "## References\nCompNeuro Neuromatch Academy Tutorials. [Link](https://compneuro.neuromatch.io/tutorials/W3D4_ReinforcementLearning/student/W3D4_Tutorial4.html)",
"rdfs:label": "Dyna-Q",
"rdfs:subClassOf": {
"@id": "d3f:Model-basedReinforcementLearning"
}
},
{
"@id": "d3f:LogicalLink",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A Logical Link is an abstract or virtual connection between two entities that facilitates communication or data exchange without requiring a direct physical connection.",
"rdfs:label": "Logical Link",
"rdfs:subClassOf": {
"@id": "d3f:Link"
}
},
{
"@id": "d3f:T1586.002",
"@type": "owl:Class",
"d3f:attack-id": "T1586.002",
"d3f:definition": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).",
"rdfs:label": "Email Accounts",
"rdfs:subClassOf": {
"@id": "d3f:T1586"
}
},
{
"@id": "d3f:MemoryEvent",
"@type": "owl:Class",
"d3f:definition": "An event capturing operations on the memory resources of a system, encompassing allocation, modification, access, protection, or deallocation.",
"rdfs:label": "Memory Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/memory_activity"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalEvent"
},
{
"@id": "_:N1626b7e43a2e498fb52b89fba681e6e3"
},
{
"@id": "_:Ne8fc5a5951f342e8b2ec111952d15bf2"
}
]
},
{
"@id": "_:N1626b7e43a2e498fb52b89fba681e6e3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryAddress"
}
},
{
"@id": "_:Ne8fc5a5951f342e8b2ec111952d15bf2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryExtent"
}
},
{
"@id": "d3f:CWE-185",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-185",
"d3f:definition": "The product specifies a regular expression in a way that causes data to be improperly matched or compared.",
"rdfs:label": "Incorrect Regular Expression",
"rdfs:subClassOf": {
"@id": "d3f:CWE-697"
}
},
{
"@id": "d3f:CWE-186",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-186",
"d3f:definition": "A regular expression is overly restrictive, which prevents dangerous values from being detected.",
"rdfs:label": "Overly Restrictive Regular Expression",
"rdfs:subClassOf": {
"@id": "d3f:CWE-185"
}
},
{
"@id": "d3f:CAPEC-663",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:CommonAttackPattern"
],
"d3f:capec-id": "CAPEC-553",
"rdfs:isDefinedBy": {
"@id": "https://capec.mitre.org/data/definitions/663.html"
},
"rdfs:label": "Exploitation of Transient Instruction Execution",
"rdfs:subClassOf": {
"@id": "d3f:CommonAttackPattern"
}
},
{
"@id": "d3f:CWE-640",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-640",
"d3f:definition": "The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.",
"rdfs:label": "Weak Password Recovery Mechanism for Forgotten Password",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1390"
}
},
{
"@id": "d3f:MacOSKeychain",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.",
"rdfs:isDefinedBy": {
"@id": "dbr:Keychain_(software)"
},
"rdfs:label": "MacOS Keychain",
"rdfs:subClassOf": {
"@id": "d3f:PasswordStore"
},
"skos:altLabel": "Keychain"
},
{
"@id": "d3f:CyberSensor",
"@type": "owl:Class",
"d3f:definition": "A cyber sensor collects and monitors data related to cyber activities, events, or environments.",
"rdfs:label": "Cyber Sensor",
"rdfs:subClassOf": {
"@id": "d3f:Sensor"
}
},
{
"@id": "d3f:CWE-382",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-382",
"d3f:definition": "A J2EE application uses System.exit(), which also shuts down its container.",
"rdfs:label": "J2EE Bad Practices: Use of System.exit()",
"rdfs:subClassOf": {
"@id": "d3f:CWE-705"
}
},
{
"@id": "d3f:UserAccountEvent",
"@type": "owl:Class",
"d3f:definition": "An event capturing operations or state changes performed on user accounts, including lifecycle management, access control modifications, and policy assignments.",
"rdfs:label": "User Account Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/account_change"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalEvent"
},
{
"@id": "_:N5359321186ab49cdbc70cb71efa8be67"
}
]
},
{
"@id": "_:N5359321186ab49cdbc70cb71efa8be67",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:NetworkResourceAccessMediation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:NetworkResourceAccessMediation"
],
"d3f:d3fend-id": "D3-NRAM",
"d3f:definition": "Control of access to organizational systems and services by users or processes over a network.",
"d3f:isolates": {
"@id": "d3f:NetworkResource"
},
"d3f:kb-article": "## How it works\n\nNetwork Resource Access Control involves managing and regulating access to resources within an organization's network. This includes ensuring that only authorized users or processes can access specific systems or data, often through authentication and authorization mechanisms. Examples include accessing internal databases, file servers, or application services.",
"d3f:kb-reference": {
"@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
},
"d3f:synonym": "Remote Access Control",
"rdfs:label": "Network Resource Access Mediation",
"rdfs:subClassOf": [
{
"@id": "d3f:AccessMediation"
},
{
"@id": "_:N5d5713b404b94846bcab6b5eb6a336c6"
}
]
},
{
"@id": "_:N5d5713b404b94846bcab6b5eb6a336c6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkResource"
}
},
{
"@id": "d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20180197089A1/en?oq=US-2018197089-A1"
},
"d3f:kb-abstract": "Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature.",
"d3f:kb-author": "Sven Krasser; David Elkind; Patrick Crenshaw; Brett Meyer",
"d3f:kb-mitre-analysis": "Provides a mechanism to classify files using file signatures based on a computational model. Training data that comprises at least a portion of a file, e.g. number of bytes, is used as input to the computational model to develop a file signature and classify the file as malware.",
"d3f:kb-organization": "Crowdstrike Inc",
"d3f:kb-reference-of": {
"@id": "d3f:FileContentRules"
},
"d3f:kb-reference-title": "Computational modeling and classification of data streams",
"rdfs:label": "Reference - Computational modeling and classification of data streams - Crowdstrike Inc"
},
{
"@id": "d3f:MobilePhone",
"@type": "owl:Class",
"d3f:definition": "A mobile phone, cellular phone, cell phone, cellphone or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture and, therefore, mobile telephones are called cellular telephones or cell phones in North America. In addition to telephony, digital mobile phones (2G) support a variety of other services, such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared,",
"rdfs:isDefinedBy": {
"@id": "dbr:Mobile_phone"
},
"rdfs:label": "Mobile Phone",
"rdfs:subClassOf": {
"@id": "d3f:PersonalComputer"
},
"skos:altLabel": [
"Cellphone",
"Cellular Phone"
]
},
{
"@id": "d3f:precedes",
"@type": "owl:ObjectProperty",
"d3f:definition": "x precedes y: The event or action x occurs before event or action y in time.",
"rdfs:isDefinedBy": {
"@id": "http://purl.obolibrary.org/obo/BFO_0000063"
},
"rdfs:label": "precedes",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:NetworkConnectionResetEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an attempt is made to establish a network connection.",
"rdfs:label": "Network Connection Reset Event",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkConnectionEvent"
},
{
"@id": "_:N848a29cbaca54496bfc0da69a48b61de"
}
]
},
{
"@id": "_:N848a29cbaca54496bfc0da69a48b61de",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkConnectionOpenEvent"
}
},
{
"@id": "d3f:may-run",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may-run y: They entity x may run the thing y; that is, 'x runs y' may be true.",
"rdfs:label": "may-run",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:WindowsNTGetThreadContext",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"rdfs:label": "Windows NtGetThreadContext",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIGetThreadContext"
}
},
{
"@id": "d3f:T1032",
"@type": "owl:Class",
"d3f:attack-id": "T1032",
"d3f:definition": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1573",
"rdfs:label": "Standard Cryptographic Protocol",
"rdfs:seeAlso": "T1573",
"rdfs:subClassOf": {
"@id": "d3f:CommandAndControlTechnique"
}
},
{
"@id": "d3f:T1647",
"@type": "owl:Class",
"d3f:attack-id": "T1647",
"d3f:definition": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)",
"rdfs:label": "Plist File Modification",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:M1033",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:ExecutableAllowlisting"
},
{
"@id": "d3f:ExecutableDenylisting"
}
],
"rdfs:label": "Limit Software Installation"
},
{
"@id": "d3f:CCI-001111_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001111"
},
{
"@id": "d3f:OTProtocolMessage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Packets generated by an operational technology protocol contain an OT protocol message.",
"rdfs:label": "OT Protocol Message",
"rdfs:subClassOf": {
"@id": "d3f:DigitalMessage"
}
},
{
"@id": "d3f:RDPSession",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A Remote Desktop Protocol (RDP) session is a session established using the RDP protocol to access Remove Desktop Services (RDS).",
"rdfs:label": "RDP Session",
"rdfs:seeAlso": [
{
"@id": "dbr:Remote_Desktop_Protocol"
},
{
"@id": "dbr:Remote_Desktop_Services"
}
],
"rdfs:subClassOf": {
"@id": "d3f:RemoteSession"
},
"skos:altLabel": [
"Remote Desktop Session",
"Terminal Services"
]
},
{
"@id": "d3f:CWE-1090",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1090",
"d3f:definition": "A method for a class performs an operation that directly accesses a member element from another class.",
"rdfs:label": "Method Containing Access of a Member Element from Another Class",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1061"
}
},
{
"@id": "d3f:PrincipalComponentsAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PCA",
"d3f:definition": "Principal Component Analysis (PCA) is a statistic-based method of identifying patterns in a large dataset while increasing interpretability and preserving information.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Principal component analysis. [Link](https://en.wikipedia.org/wiki/Principal_component_analysis)",
"rdfs:label": "Principal Components Analysis",
"rdfs:subClassOf": {
"@id": "d3f:DimensionReduction"
}
},
{
"@id": "d3f:CWE-1070",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1070",
"d3f:definition": "The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.",
"rdfs:label": "Serializable Data Element Containing non-Serializable Item Elements",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1076"
},
{
"@id": "d3f:CWE-710"
}
]
},
{
"@id": "d3f:Directory",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories. On many computers, directories are known as folders, or drawers to provide some relevancy to a workbench or the traditional office file cabinet.",
"d3f:may-contain": {
"@id": "d3f:File"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Directory_(computing)"
},
"rdfs:label": "Directory",
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N012b3bdbde3349459088845610e727a0"
}
]
},
{
"@id": "_:N012b3bdbde3349459088845610e727a0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:MachineLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-ML",
"d3f:definition": "Machine learning techniques are computational methods that combine statistics, probability, and optimization to make accurate predictions and/or improve performance.",
"d3f:kb-article": "## References\nMachine learning.\" Wikipedia. [Link](https://en.wikipedia.org/wiki/Machine_learning).",
"rdfs:label": "Machine Learning",
"rdfs:subClassOf": {
"@id": "d3f:AnalyticTechnique"
}
},
{
"@id": "d3f:Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2021-01-003/"
},
"d3f:kb-abstract": "In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
"rdfs:label": "Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITRE"
},
{
"@id": "d3f:T1488",
"@type": "owl:Class",
"d3f:attack-id": "T1488",
"d3f:definition": "Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1561.001",
"rdfs:label": "Disk Content Wipe",
"rdfs:seeAlso": "T1561.001",
"rdfs:subClassOf": {
"@id": "d3f:ImpactTechnique"
}
},
{
"@id": "d3f:FQDNDomainName",
"@type": [
"owl:NamedIndividual",
"d3f:DomainName"
],
"rdfs:label": "FQDN Domain Name"
},
{
"@id": "d3f:IntranetDNSLookup",
"@type": "owl:Class",
"d3f:definition": "An Intranet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a that same network.",
"rdfs:label": "Intranet DNS Lookup",
"rdfs:seeAlso": {
"@id": "dbr:Intranet"
},
"rdfs:subClassOf": {
"@id": "d3f:DNSLookup"
}
},
{
"@id": "d3f:LoadLibraryEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a process dynamically loads a library or module into its memory space, extending its capabilities.",
"rdfs:label": "Load Library Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessEvent"
},
{
"@id": "_:N6c67aeca852b4825aedbd78005d954bd"
},
{
"@id": "_:N74c7737ba9374f16a8146f46957be5d3"
}
]
},
{
"@id": "_:N6c67aeca852b4825aedbd78005d954bd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "_:N74c7737ba9374f16a8146f46957be5d3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessCreationEvent"
}
},
{
"@id": "d3f:verifies",
"@type": "owl:ObjectProperty",
"d3f:definition": "x verifies y: A technique x confirms the truth of a digital artifact y.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00666401-v"
},
"rdfs:label": "verifies",
"rdfs:seeAlso": [
{
"@id": "dbr:Formal_verification"
},
{
"@id": "dbr:Runtime_verification"
},
{
"@id": "http://wordnet-rdf.princeton.edu/id/00665271-v"
}
],
"rdfs:subPropertyOf": [
{
"@id": "d3f:analyzes"
},
{
"@id": "d3f:associated-with"
}
]
},
{
"@id": "d3f:T1497.001",
"@type": "owl:Class",
"d3f:attack-id": "T1497.001",
"d3f:definition": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)",
"rdfs:label": "System Checks",
"rdfs:subClassOf": {
"@id": "d3f:T1497"
}
},
{
"@id": "d3f:TerminateProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "On many computer operating systems, a computer process terminates its execution by making an exit system call. More generally, an exit in a multithreading environment means that a thread of execution has stopped running. For resource management, the operating system reclaims resources (memory, files, etc.) that were used by the process. The process is said to be a dead process after it terminates.",
"d3f:terminates": {
"@id": "d3f:Process"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Exit_(system_call)"
},
"rdfs:label": "Terminate Process",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N8cbc6171b97c4d158d280a0e5626c488"
}
]
},
{
"@id": "_:N8cbc6171b97c4d158d280a0e5626c488",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:terminates"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:NTFSHardLink",
"@type": "owl:Class",
"d3f:definition": "An NTFS hard link points to another file, and files share the same MFT entry (inode), in the same filesystem.",
"rdfs:isDefinedBy": {
"@id": "dbr:NTFS_links"
},
"rdfs:label": "NTFS Hard Link",
"rdfs:seeAlso": {
"@id": "dbr:Hard_link"
},
"rdfs:subClassOf": [
{
"@id": "d3f:HardLink"
},
{
"@id": "d3f:NTFSLink"
}
]
},
{
"@id": "d3f:T1598.004",
"@type": "owl:Class",
"d3f:attack-id": "T1598.004",
"d3f:definition": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.",
"rdfs:label": "Spearphishing Voice",
"rdfs:subClassOf": {
"@id": "d3f:T1598"
}
},
{
"@id": "d3f:EventLogRotateEvent",
"@type": "owl:Class",
"d3f:definition": "An event where the event log is rotated, often as part of log rotation policies to manage storage and ensure continuity.",
"rdfs:label": "Event Log Rotate Event",
"rdfs:subClassOf": {
"@id": "d3f:EventLogEvent"
}
},
{
"@id": "d3f:Reference-TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US9262600B2/en?oq=US9262600B2"
},
"d3f:kb-abstract": "System and method is disclosed for protecting client software running on a client computer from tampering using a secure server. Prior to or independent of executing the client software, the system integrates self-protection into the client software; removes functions from the client software for execution on the server; develops client software self-protection updates; and periodically distributes the updates. During execution of the client software, the system receives an initial request from the client computer for execution of the removed function; verifies the initial request; and cooperates with the client computer in execution of the client software if verification is successful. If verification is unsuccessful, the system can attempt to update the client software on the client computer; and require a new initial request. Client software can be updated on occurrence of a triggering event. Communications can be encrypted, and the encryption updated. Authenticating checksums can be used for verification.",
"d3f:kb-author": "Kevin Dale Morgan",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "ARXAN TECHNOLOGIES Inc",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessCodeSegmentVerification"
},
"d3f:kb-reference-title": "Tamper proof mutating software",
"rdfs:label": "Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Inc"
},
{
"@id": "d3f:may-produce",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may-produce y: They entity x may produce the thing y; that is, 'x produces y' may be true.",
"rdfs:label": "may-produce",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:Detect",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DefensiveTactic"
],
"d3f:definition": "The detect tactic is used to identify adversary access to or unauthorized activity on computer networks.",
"d3f:display-order": 1,
"d3f:display-priority": 0,
"rdfs:label": "Detect",
"rdfs:subClassOf": {
"@id": "d3f:DefensiveTactic"
}
},
{
"@id": "d3f:PacketLog",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A log of all the network packet data captured from a network by a network sensor (i.e., packet analyzer),",
"d3f:records": {
"@id": "d3f:NetworkSession"
},
"d3f:summarizes": {
"@id": "d3f:PacketCaptureFile"
},
"rdfs:label": "Packet Log",
"rdfs:seeAlso": {
"@id": "dbr:Packet_analyzer"
},
"rdfs:subClassOf": [
{
"@id": "d3f:Log"
},
{
"@id": "_:N726704284da2442382e4c6802501d138"
},
{
"@id": "_:N47b79cf8f1f6409ba75150539dabf1ef"
}
]
},
{
"@id": "_:N726704284da2442382e4c6802501d138",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:records"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkSession"
}
},
{
"@id": "_:N47b79cf8f1f6409ba75150539dabf1ef",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:summarizes"
},
"owl:someValuesFrom": {
"@id": "d3f:PacketCaptureFile"
}
},
{
"@id": "d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-05-001/"
},
"d3f:kb-abstract": "This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call MiniDumpWriteDump. Tools like SafetyKatz, SafetyDump, and Outflank-Dumpert default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.\n\nThe analytic is based on a Sigma analytic contributed by Samir Bousseaden and written up in a blog on MENASEC. It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in CAR-2019-08-001. In this iteration of the Sigma analytic, the GrantedAccess filter isn’t included because it didn’t seem to filter out any false positives and introduces the potential for evasion.\n\nThis analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:SystemCallAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-05-001: MiniDump of LSASS",
"rdfs:label": "Reference - CAR-2020-05-001: MiniDump of LSASS - MITRE"
},
{
"@id": "d3f:CCI-001494_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system protects audit tools from unauthorized modification.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:PlatformHardening"
},
{
"@id": "d3f:SystemConfigurationPermissions"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-29T00:00:00"
},
"rdfs:label": "CCI-001494"
},
{
"@id": "d3f:CCI-002403_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002403"
},
{
"@id": "d3f:NISTControl",
"@type": "owl:Class",
"rdfs:label": "NIST Control",
"rdfs:subClassOf": [
{
"@id": "d3f:ExternalControl"
},
{
"@id": "_:Ne49c2e05a2be4263b4b02b74987fb536"
}
]
},
{
"@id": "_:Ne49c2e05a2be4263b4b02b74987fb536",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:member-of"
},
"owl:someValuesFrom": {
"@id": "d3f:NISTSP800-53ControlCatalog"
}
},
{
"@id": "d3f:T1578",
"@type": "owl:Class",
"d3f:attack-id": "T1578",
"d3f:definition": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.",
"rdfs:label": "Modify Cloud Compute Infrastructure",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "_:Nc0d8e728cc0540dfae41d5e929b450da",
"@type": "owl:AllDisjointClasses",
"owl:members": {
"@list": [
{
"@id": "d3f:GeometricMean"
},
{
"@id": "d3f:HarmonicMean"
},
{
"@id": "d3f:Mean"
},
{
"@id": "d3f:Median"
},
{
"@id": "d3f:Mode"
},
{
"@id": "d3f:TrimmedMean"
},
{
"@id": "d3f:WeightedMean"
}
]
}
},
{
"@id": "d3f:CWE-1077",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1077",
"d3f:definition": "The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.",
"rdfs:label": "Floating Point Comparison with Incorrect Operator",
"rdfs:subClassOf": {
"@id": "d3f:CWE-697"
}
},
{
"@id": "d3f:BERT",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BER",
"d3f:definition": "Bidirectional Encoder Representations from Transformers (BERT) is based on a deep learning model in which every output element is connected to every input element, and the weightings between them are dynamically calculated based upon their connection.",
"d3f:kb-article": "## References\nBERT (language model). (n.d.). In TechTarget. [Link](https://www.techtarget.com/searchenterpriseai/definition/BERT-language-model)\nBERT (language model). (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/BERT_(language_model))",
"d3f:synonym": "Bidirectional Encoder Representations from Transformers",
"rdfs:label": "BERT",
"rdfs:subClassOf": {
"@id": "d3f:Transformer-basedLearning"
}
},
{
"@id": "d3f:CWE-440",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-440",
"d3f:definition": "A feature, API, or function does not perform according to its specification.",
"rdfs:label": "Expected Behavior Violation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-684"
}
},
{
"@id": "d3f:CWE-431",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-431",
"d3f:definition": "A handler is not available or implemented.",
"rdfs:label": "Missing Handler",
"rdfs:subClassOf": {
"@id": "d3f:CWE-691"
}
},
{
"@id": "d3f:T1566.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1566.001",
"d3f:definition": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.",
"d3f:produces": [
{
"@id": "d3f:Email"
},
{
"@id": "d3f:InboundInternetMailTraffic"
}
],
"rdfs:label": "Spearphishing Attachment",
"rdfs:subClassOf": [
{
"@id": "d3f:T1566"
},
{
"@id": "_:N4733912597b44747b504d4ed2f5c26e9"
},
{
"@id": "_:Nae93dba068684192b1045cd42def6f5f"
}
]
},
{
"@id": "_:N4733912597b44747b504d4ed2f5c26e9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:Email"
}
},
{
"@id": "_:Nae93dba068684192b1045cd42def6f5f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:InboundInternetMailTraffic"
}
},
{
"@id": "d3f:CCI-001953_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:BiometricAuthentication"
},
{
"@id": "d3f:Certificate-basedAuthentication"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system accepts Personal Identity Verification (PIV) credentials.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-05-03T00:00:00"
},
"rdfs:label": "CCI-001953"
},
{
"@id": "d3f:T1674",
"@type": "owl:Class",
"d3f:attack-id": "T1674",
"d3f:definition": "Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).",
"rdfs:label": "Input Injection",
"rdfs:subClassOf": {
"@id": "d3f:ExecutionTechnique"
}
},
{
"@id": "d3f:CWE-673",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-673",
"d3f:definition": "The product does not prevent the definition of control spheres from external actors.",
"rdfs:label": "External Influence of Sphere Definition",
"rdfs:subClassOf": {
"@id": "d3f:CWE-664"
}
},
{
"@id": "d3f:T1614",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:ConfigurationResource"
},
"d3f:attack-id": "T1614",
"d3f:definition": "",
"rdfs:label": "System Location Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:DiscoveryTechnique"
},
{
"@id": "_:Nca30d3957e4146dfb2f145482d6e812b"
}
]
},
{
"@id": "_:Nca30d3957e4146dfb2f145482d6e812b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:ConfigurationResource"
}
},
{
"@id": "d3f:DeepQ-learning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DQL",
"d3f:definition": "Uses a deep convolutional neural network, with layers of tiled convolutional filters to mimic the effects of receptive fields.",
"d3f:kb-article": "## References\nQ-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning#Deep_Q-learning).",
"rdfs:label": "Deep Q-learning",
"rdfs:subClassOf": {
"@id": "d3f:Q-Learning"
}
},
{
"@id": "d3f:CWE-1063",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1063",
"d3f:definition": "A static code block creates an instance of a class.",
"rdfs:label": "Creation of Class Instance within a Static Code Block",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1176"
}
},
{
"@id": "d3f:CWE-319",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-319",
"d3f:definition": "The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.",
"rdfs:label": "Cleartext Transmission of Sensitive Information",
"rdfs:subClassOf": {
"@id": "d3f:CWE-311"
}
},
{
"@id": "d3f:T1020",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1020",
"d3f:definition": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)",
"d3f:produces": {
"@id": "d3f:InternetNetworkTraffic"
},
"rdfs:label": "Automated Exfiltration",
"rdfs:subClassOf": [
{
"@id": "d3f:ExfiltrationTechnique"
},
{
"@id": "_:N8fa3ec27b2024e9bab6bb681d5e3154c"
}
]
},
{
"@id": "_:N8fa3ec27b2024e9bab6bb681d5e3154c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:InternetNetworkTraffic"
}
},
{
"@id": "d3f:DivisiveClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DC",
"d3f:definition": "A divisive clustering approach is a hierarchical, top-down approach to clustering a dataset.",
"rdfs:label": "Divisive Clustering",
"rdfs:subClassOf": {
"@id": "d3f:HierarchicalClustering"
}
},
{
"@id": "d3f:CCI-001128_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:EncryptedTunnels"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001128"
},
{
"@id": "d3f:CWE-379",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-379",
"d3f:definition": "The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.",
"rdfs:label": "Creation of Temporary File in Directory with Insecure Permissions",
"rdfs:subClassOf": {
"@id": "d3f:CWE-377"
}
},
{
"@id": "d3f:LinuxELFFile64bit",
"@type": [
"owl:NamedIndividual",
"d3f:ExecutableBinary"
],
"rdfs:label": "Linux ELF File 64bit"
},
{
"@id": "d3f:T1048.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1048.001",
"d3f:definition": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
"d3f:produces": {
"@id": "d3f:OutboundInternetEncryptedTraffic"
},
"rdfs:label": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"rdfs:subClassOf": [
{
"@id": "d3f:T1048"
},
{
"@id": "_:N2a123009e4014e609608768ff7e2e6fd"
}
]
},
{
"@id": "_:N2a123009e4014e609608768ff7e2e6fd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetEncryptedTraffic"
}
},
{
"@id": "d3f:T1553.005",
"@type": "owl:Class",
"d3f:attack-id": "T1553.005",
"d3f:definition": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)",
"rdfs:label": "Mark-of-the-Web Bypass",
"rdfs:subClassOf": {
"@id": "d3f:T1553"
}
},
{
"@id": "d3f:Reference-PointerAuthenticationOnARMv8.3",
"@type": [
"owl:NamedIndividual",
"d3f:SpecificationReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf"
},
"d3f:kb-abstract": "The pointer authentication scheme introduced by ARM is a software security primitive that makes it much harder for an attacker to modify protected pointers in memory without being detected. In this document, we will provide more details about the Pointer Authentication mechanism, provide a security analysis, and discuss the implementation of certain software security countermeasures, such as stack protection and control flow integrity, using the Pointer Authentication primitives.",
"d3f:kb-author": "Qualcomm Technologies, Inc",
"d3f:kb-organization": "Qualcomm Technologies, Inc",
"d3f:kb-reference-of": {
"@id": "d3f:PointerAuthentication"
},
"d3f:kb-reference-title": "Pointer Authentication on ARMv8.3",
"rdfs:label": "Reference - Pointer Authentication on ARMv8.3"
},
{
"@id": "d3f:MeanAbsoluteDeviation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-MAD",
"d3f:definition": "The mean absolute deviation (MAD), also referred to as the \"mean deviation\" or sometimes \"average absolute deviation\", is the mean of the data's absolute deviations around the data's mean: the average (absolute) distance from the mean.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)",
"d3f:synonym": "MAD",
"rdfs:label": "Mean Absolute Deviation",
"rdfs:subClassOf": {
"@id": "d3f:AverageAbsoluteDeviation"
}
},
{
"@id": "d3f:CCI-000346_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs automated mechanisms to enforce access restrictions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:LocalFilePermissions"
},
{
"@id": "d3f:UserAccountPermissions"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-18T00:00:00"
},
"rdfs:label": "CCI-000346"
},
{
"@id": "d3f:OTControlProgram",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "The file stored in controller memory that is used to operate the controller.",
"d3f:instructs": {
"@id": "d3f:OTControlLogicProcess"
},
"d3f:synonym": "OT Project File",
"rdfs:label": "OT Control Program",
"rdfs:subClassOf": [
{
"@id": "d3f:ServiceApplication"
},
{
"@id": "_:Nf0a181c6647b49fc861ceb22d1c05ec9"
}
]
},
{
"@id": "_:Nf0a181c6647b49fc861ceb22d1c05ec9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:instructs"
},
"owl:someValuesFrom": {
"@id": "d3f:OTControlLogicProcess"
}
},
{
"@id": "d3f:Kurtosis",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-KUR",
"d3f:definition": "The measure of the \"fatness\" of the tails of a pmf or pdf. The fourth standardized moment of the distribution.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)",
"rdfs:label": "Kurtosis",
"rdfs:subClassOf": {
"@id": "d3f:DistributionProperties"
}
},
{
"@id": "d3f:CWE-286",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-286",
"d3f:definition": "The product does not properly manage a user within its environment.",
"rdfs:label": "Incorrect User Management",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:VirtualMemorySpace",
"@type": "owl:Class",
"d3f:definition": "Virtual memory is a memory management technique where secondary memory can be used as if it were a part of the main memory. Virtual memory uses hardware and software to enable a computer to compensate for physical memory shortages",
"rdfs:isDefinedBy": {
"@id": "https://whatis.techtarget.com/definition/memory"
},
"rdfs:label": "Virtual Memory Space",
"rdfs:seeAlso": {
"@id": "https://dbpedia.org/page/Virtual_memory"
},
"rdfs:subClassOf": {
"@id": "d3f:MemoryAddressSpace"
}
},
{
"@id": "d3f:RemoteSession",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A remote login session is a login session where a client has logged in from their local host machine to a server via a network.",
"rdfs:label": "Remote Session",
"rdfs:subClassOf": {
"@id": "d3f:NetworkSession"
}
},
{
"@id": "d3f:CCI-002306_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:SystemConfigurationPermissions"
},
{
"@id": "d3f:UserAccountPermissions"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002306"
},
{
"@id": "d3f:T1487",
"@type": "owl:Class",
"d3f:attack-id": "T1487",
"d3f:definition": "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1561.002",
"rdfs:label": "Disk Structure Wipe",
"rdfs:seeAlso": "T1561.002",
"rdfs:subClassOf": {
"@id": "d3f:ImpactTechnique"
}
},
{
"@id": "d3f:CWE-1115",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1115",
"d3f:definition": "The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.",
"rdfs:label": "Source Code Element without Standard Prologue",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1078"
}
},
{
"@id": "d3f:Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2021-01-006/"
},
"d3f:kb-abstract": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
"rdfs:label": "Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITRE"
},
{
"@id": "d3f:VirtualAddress",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A virtual address in memory is a pointer or marker for a memory space that an operating system allows a process to use. The virtual address points to a location in primary storage that a process can use independently of other processes.",
"d3f:synonym": "Logical Address",
"rdfs:isDefinedBy": {
"@id": "https://www.techopedia.com/definition/9934/virtual-address-va"
},
"rdfs:label": "Virtual Address",
"rdfs:seeAlso": [
{
"@id": "https://dbpedia.org/page/Virtual_address_space"
},
{
"@id": "https://en.wikipedia.org/wiki/Memory_address#Logical_addresses"
}
],
"rdfs:subClassOf": {
"@id": "d3f:MemoryAddress"
}
},
{
"@id": "d3f:ObjectFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An object file is a file that contains relocatable machine code.",
"rdfs:label": "Object File",
"rdfs:seeAlso": {
"@id": "dbr:Object_file"
},
"rdfs:subClassOf": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:CCI-001404_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system automatically audits account disabling actions.",
"d3f:exactly": {
"@id": "d3f:DomainAccountMonitoring"
},
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-24T00:00:00"
},
"rdfs:label": "CCI-001404"
},
{
"@id": "d3f:CWE-1176",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1176",
"d3f:definition": "The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.",
"rdfs:label": "Inefficient CPU Computation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-405"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-4_2",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "System Monitoring | Automated Tools and Mechanisms for Real-time Analysis",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:NetworkTrafficAnalysis"
},
"rdfs:label": "SI-4(2)"
},
{
"@id": "d3f:T1566.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1566.003",
"d3f:definition": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.",
"d3f:produces": [
{
"@id": "d3f:File"
},
{
"@id": "d3f:URL"
}
],
"rdfs:label": "Spearphishing via Service",
"rdfs:subClassOf": [
{
"@id": "d3f:T1566"
},
{
"@id": "_:N4fb2b497f5264affa22d412c24da12ed"
},
{
"@id": "_:Na7b9a2a954484796a5ced10642c4a485"
}
]
},
{
"@id": "_:N4fb2b497f5264affa22d412c24da12ed",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "_:Na7b9a2a954484796a5ced10642c4a485",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:URL"
}
},
{
"@id": "d3f:CWE-232",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-232",
"d3f:definition": "The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.",
"rdfs:label": "Improper Handling of Undefined Values",
"rdfs:subClassOf": {
"@id": "d3f:CWE-229"
}
},
{
"@id": "d3f:T1219.002",
"@type": "owl:Class",
"d3f:attack-id": "T1219.002",
"d3f:definition": "An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)",
"rdfs:label": "Remote Desktop Software",
"rdfs:subClassOf": {
"@id": "d3f:T1219"
}
},
{
"@id": "d3f:M1055",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"rdfs:label": "Do Not Mitigate"
},
{
"@id": "d3f:DiskPartitioning",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DiskPartitioning"
],
"d3f:creates": {
"@id": "d3f:PartitionTable"
},
"d3f:d3fend-id": "D3-DKP",
"d3f:definition": "Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions.",
"d3f:kb-article": "### How it works\n\nEach partition can be managed separately and can have its own file system. Disk partitioning can be used to segregate sensitive data from less critical data, improve system performance, and enhance data management and recovery processes. It can also help in isolating different operating systems or environments on the same physical disk.",
"d3f:kb-reference": {
"@id": "d3f:Reference-Remembranceofdatapassed:Astudyofdisksanitizationpractices"
},
"rdfs:label": "Disk Partitioning",
"rdfs:subClassOf": [
{
"@id": "d3f:DiskFormatting"
},
{
"@id": "_:Ndddb6f2d6abf4b1d956bfbdac75b67fb"
}
]
},
{
"@id": "_:Ndddb6f2d6abf4b1d956bfbdac75b67fb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:PartitionTable"
}
},
{
"@id": "d3f:T1546.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1546.006",
"d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.",
"d3f:modifies": {
"@id": "d3f:ExecutableBinary"
},
"rdfs:label": "LC_LOAD_DYLIB Addition",
"rdfs:subClassOf": [
{
"@id": "d3f:T1546"
},
{
"@id": "_:N322406175f394ad69e1dc60728a140f4"
}
]
},
{
"@id": "_:N322406175f394ad69e1dc60728a140f4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableBinary"
}
},
{
"@id": "d3f:process-parent",
"@type": "owl:ObjectProperty",
"d3f:definition": "x process-parent y: The process y created the process x (directly) with a create process event.",
"rdfs:label": "process-parent",
"rdfs:subPropertyOf": {
"@id": "d3f:process-ancestor"
},
"skos:altLabel": "processParent"
},
{
"@id": "d3f:SingularValueDecomposition",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SVD",
"d3f:definition": "Singular Value Decomposition (SVD) is an algorithm that represents a matrix as a linear series of data and to find the set of factors that will best predict an outcome",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Singular value decomposition. [Link](https://en.wikipedia.org/wiki/Singular_value_decomposition)",
"rdfs:label": "Singular Value Decomposition",
"rdfs:subClassOf": {
"@id": "d3f:DimensionReduction"
}
},
{
"@id": "d3f:terminates",
"@type": "owl:ObjectProperty",
"d3f:definition": "x terminates y: The technique x brings to an end or halt to some activity y.",
"d3f:synonym": "aborts",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00353480-v"
},
"rdfs:label": "terminates",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/00354493-v"
},
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:evicts"
}
]
},
{
"@id": "d3f:T1593.002",
"@type": "owl:Class",
"d3f:attack-id": "T1593.002",
"d3f:definition": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)",
"rdfs:label": "Search Engines",
"rdfs:subClassOf": {
"@id": "d3f:T1593"
}
},
{
"@id": "d3f:CWE-624",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-624",
"d3f:definition": "The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.",
"rdfs:label": "Executable Regular Expression Error",
"rdfs:subClassOf": {
"@id": "d3f:CWE-77"
}
},
{
"@id": "d3f:OrchestrationServer",
"@type": "owl:Class",
"d3f:definition": "A d3f:Server which is involved with the orchestration of workloads or the execution of orchestrated workloads.",
"rdfs:label": "Orchestration Server",
"rdfs:seeAlso": {
"@id": "dbr:Orchestration_(computing)"
},
"rdfs:subClassOf": {
"@id": "d3f:Server"
}
},
{
"@id": "d3f:T1564.009",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1564.009",
"d3f:definition": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)",
"d3f:may-create": {
"@id": "d3f:ResourceFork"
},
"d3f:may-modify": {
"@id": "d3f:ResourceFork"
},
"rdfs:label": "Resource Forking",
"rdfs:subClassOf": [
{
"@id": "d3f:T1564"
},
{
"@id": "_:Nc29dd2e487e84907907216b98108d7ed"
},
{
"@id": "_:Nfb44cf77b4a848388d465af575887d7a"
}
]
},
{
"@id": "_:Nc29dd2e487e84907907216b98108d7ed",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:ResourceFork"
}
},
{
"@id": "_:Nfb44cf77b4a848388d465af575887d7a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:ResourceFork"
}
},
{
"@id": "d3f:CWE-313",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-313",
"d3f:definition": "The product stores sensitive information in cleartext in a file, or on disk.",
"rdfs:label": "Cleartext Storage in a File or on Disk",
"rdfs:subClassOf": {
"@id": "d3f:CWE-312"
}
},
{
"@id": "d3f:T1016",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1016",
"d3f:definition": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).",
"d3f:may-execute": {
"@id": "d3f:ExecutableScript"
},
"d3f:may-invoke": [
{
"@id": "d3f:CreateProcess"
},
{
"@id": "d3f:GetSystemNetworkConfigValue"
}
],
"rdfs:label": "System Network Configuration Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:DiscoveryTechnique"
},
{
"@id": "_:Ne8d901dc2ff14ce1a4c1a1a6fe4a49da"
},
{
"@id": "_:N1dfe0d5c493c4cd987cc66b6f6ba31af"
},
{
"@id": "_:Nb80d073011144aa4be4b40149269acb5"
}
]
},
{
"@id": "_:Ne8d901dc2ff14ce1a4c1a1a6fe4a49da",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-execute"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableScript"
}
},
{
"@id": "_:N1dfe0d5c493c4cd987cc66b6f6ba31af",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "_:Nb80d073011144aa4be4b40149269acb5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:GetSystemNetworkConfigValue"
}
},
{
"@id": "d3f:K-NearestNeighbors",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-KNN",
"d3f:definition": "The k-nearest neighbors algorithm, also known as KNN or k-NN, is a non-parametric, supervised learning classifier, which uses proximity to make classifications or predictions about the grouping of an individual data point.",
"d3f:kb-article": "## **How it works**\nThe goal of the k-nearest neighbor algorithm is to identify the nearest neighbors of a given query point, so that we can assign a class label to that point. To determine which data points are closest to a given query point, the distance between the query point and the other data points will need to be calculated. The distance measures used can vary depending on the data set or implementation and help inform decision boundaries, which query points into different regions. Then, by defining the k-value (the number of neighbors to be checked to determine the classification of a specific query point), the data can be assigned its class label.\n\nFor classification problems, a class label is assigned on the basis of a majority vote—i.e. the label that is most frequently represented around a given data point is used (the term “majority vote” is commonly used in literature, however, the technique is more technically considered “plurality voting”). Regression problems use a similar concept as classification problem, but in this case, the average the k nearest neighbors is taken to make a prediction about a classification. The main distinction here is that classification is used for discrete values, whereas regression is used with continuous ones.\n\nUnlike other algorithms that explicitly model the problem, such as linear regression, KNN is instance-based. It means that the algorithm doesn't explicitly learn a model. Instead, it memorizes the training instances and uses them as \"knowledge\" for the prediction phase. It's also worth noting that the KNN algorithm is also part of a family of “lazy learning” models, meaning that it only stores a training dataset versus undergoing a training stage.\n\n## **Considerations**\n\n* **Scaling:** Scaling is a problem as KNN is a lazy algorithm and takes up more memory and storage compared to other classification methods.\n\n* **Implementation and Hyperparameters:** As KNN only requires a k-value and a distance metric, it is often an easy implementation and can adjust will to new training data.\n\n## Key Test Considerations\n\n- **Supervised Learning:**\n\n - **Cross Validation:** As cross validation methods like k-fold, leave-one-out, and stratified cross validation can help validate model performance. However, nuances like pessimism bias in k-fold cross validation or high variability in leave-one-out cross validation may need consideration.\n\n- **Classification:**\n\n - **ROC Curve:** A standard technique used to summarize classifier performance over a range of tradeoffs between true and false positives is the Receiver Operating Characteristic (ROC) curve.\n\n - **Data Imbalance:** Imbalanced data sets where one class significantly outnumbers others, under sampling techniques like SMOTE may be beneficial in sampling minority classes.\n\n- **K-Nearest Neighbor**\n\n - **Choice of K:** The number of neighbors, K, affects the decision boundary. A smaller K can lead to a noisy decision boundary, while a large K can smooth it out, but may also blur class distinctions.\n\n - **K-d Tree:** Exact searching on large datasets can be computationally costly and inefficient. Implementing approximate nearest neighbor algorithms like the K-d tree algorithm.\n\n - **Dimensionality:** KNN does not perform well while using high-dimensional data and can be sensitive to irrelevant features which can lead to overfitting.\n\n - **Distance Metric:** Choosing the appropriate distance metric (Euclidean, Manhattan, MinKowski, Hamming etc.) is essential, based on the nature of the data.\n\n## **References**\n1. IBM. K-Nearest Neighbors Algorithm. [Link](https://www.ibm.com/topics/knn?mhsrc=ibmsearch_a&mhq=k-nearest%20neighbors%20).\n2. Muja, M., & Lowe, D. G. (2014). Scalable nearest neighbor algorithms for high dimensional data. IEEE Transactions on Pattern Analysis and Machine Intelligence. [Link]( https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6809191).\n3. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research, 16, 321-357. [Link]( https://www.jair.org/index.php/jair/article/view/10302/24590).\n4. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. Proceedings of the 14th international joint conference on Artificial intelligence . [Link]( https://www.ijcai.org/Proceedings/95-2/Papers/016.pdf).",
"rdfs:label": "K-Nearest Neighbors",
"rdfs:subClassOf": {
"@id": "d3f:Classification"
}
},
{
"@id": "d3f:T1653",
"@type": "owl:Class",
"d3f:attack-id": "T1653",
"d3f:definition": "Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)",
"rdfs:label": "Power Settings",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:ApplicationConfiguration",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Information used to configure the parameters and initial settings for an application.",
"rdfs:label": "Application Configuration",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/05739724-n"
},
"rdfs:subClassOf": {
"@id": "d3f:ConfigurationResource"
}
},
{
"@id": "d3f:T1600.002",
"@type": "owl:Class",
"d3f:attack-id": "T1600.002",
"d3f:definition": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.",
"rdfs:label": "Disable Crypto Hardware",
"rdfs:subClassOf": {
"@id": "d3f:T1600"
}
},
{
"@id": "d3f:CCI-000017_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system automatically disables inactive accounts after an organization-defined time period.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:AccountLocking"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-13T00:00:00"
},
"rdfs:label": "CCI-000017"
},
{
"@id": "d3f:DS0017",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task",
"rdfs:comment": "This data source captures events relating to commands and therefore has no direct mappings to digital artifacts.",
"rdfs:label": "Command (ATT&CK DS)"
},
{
"@id": "d3f:CredentialEviction",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:CredentialEviction"
],
"d3f:d3fend-id": "D3-CE",
"d3f:definition": "Credential Eviction techniques disable or remove compromised credentials from a computer network.",
"d3f:enables": {
"@id": "d3f:Evict"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies"
},
"rdfs:label": "Credential Eviction",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:N770c5c8747754b34891ecac17566bc71"
}
]
},
{
"@id": "_:N770c5c8747754b34891ecac17566bc71",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Evict"
}
},
{
"@id": "d3f:T1156",
"@type": "owl:Class",
"d3f:attack-id": "T1156",
"d3f:definition": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command line interface or remotely logs in (such as SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1546.004",
"rdfs:label": "Malicious Shell Modification",
"rdfs:seeAlso": "T1546.004",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-10_5",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": {
"@id": "d3f:DriverLoadIntegrityChecking"
},
"d3f:control-name": "Non-repudiation | Digital Signatures",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AU-10(5)"
},
{
"@id": "d3f:OSAPIExec",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that replaces the current process image with a new processs image, executing a specified program.",
"d3f:invokes": {
"@id": "d3f:Exec"
},
"rdfs:label": "OS API Exec",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:N28add693f1b8444d9b19d2535c44b8c3"
}
]
},
{
"@id": "_:N28add693f1b8444d9b19d2535c44b8c3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:Exec"
}
},
{
"@id": "d3f:CCI-001185_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system invalidates session identifiers upon user logout or other session termination.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:AuthenticationCacheInvalidation"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001185"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_3",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Access Enforcement | Mandatory Access Control",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-3(3)"
},
{
"@id": "d3f:PhysicalAttacker",
"@type": "owl:Class",
"d3f:definition": "An attacker who is physically close enough to interact with the system directly, such as through physical access to devices.",
"rdfs:label": "Physical Attacker",
"rdfs:subClassOf": [
{
"@id": "d3f:LocalAttacker"
},
{
"@id": "_:N9dc55bee79884afc853f7d4ca361e39f"
},
{
"@id": "_:Nfce00fe971aa42de8c8318bbc0b264a1"
}
]
},
{
"@id": "_:N9dc55bee79884afc853f7d4ca361e39f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:ComputerPlatform"
}
},
{
"@id": "_:Nfce00fe971aa42de8c8318bbc0b264a1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:ContentValidation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ContentValidation"
],
"d3f:d3fend-id": "D3-CV",
"d3f:definition": "Verify and validate contents complies with policy",
"d3f:kb-article": "## How it works\n\nTo ensure that content is safe, it's composition must be validated according to its content policy.",
"d3f:kb-reference": {
"@id": "d3f:Reference-FileSecurityUsingFileFormatValidation_OPSWATInc"
},
"rdfs:label": "Content Validation",
"rdfs:subClassOf": {
"@id": "d3f:ContentFiltering"
}
},
{
"@id": "d3f:ApplicationProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An application process is an instance of an application computer program that is being executed.",
"d3f:runs": {
"@id": "d3f:Application"
},
"rdfs:label": "Application Process",
"rdfs:seeAlso": {
"@id": "dbr:Application_software"
},
"rdfs:subClassOf": [
{
"@id": "d3f:UserProcess"
},
{
"@id": "_:N87bfbaf038b9492691c282331ee6c1e6"
}
]
},
{
"@id": "_:N87bfbaf038b9492691c282331ee6c1e6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:runs"
},
"owl:someValuesFrom": {
"@id": "d3f:Application"
}
},
{
"@id": "d3f:Variance",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-VAR",
"d3f:definition": "Variance is a measure of dispersion, meaning it is a measure of how far a set of numbers is spread out from their average value.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Variance. [Link](https://en.wikipedia.org/wiki/Variance)",
"rdfs:label": "Variance",
"rdfs:subClassOf": {
"@id": "d3f:Variability"
}
},
{
"@id": "d3f:T1601.002",
"@type": "owl:Class",
"d3f:attack-id": "T1601.002",
"d3f:definition": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)",
"rdfs:label": "Downgrade System Image",
"rdfs:subClassOf": {
"@id": "d3f:T1601"
}
},
{
"@id": "d3f:Reference-CAR-2020-11-002%3ALocalNetworkSniffing_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-11-002/"
},
"d3f:kb-abstract": "Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessLineageAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-11-002: Local Network Sniffing",
"rdfs:label": "Reference - CAR-2020-11-002: Local Network Sniffing - MITRE"
},
{
"@id": "d3f:CCI-002009_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:BiometricAuthentication"
},
{
"@id": "d3f:Certificate-basedAuthentication"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-05-03T00:00:00"
},
"rdfs:label": "CCI-002009"
},
{
"@id": "d3f:OTReadSetValueCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Reads the contents of the specified number of consecutive parameter areawords starting from the specified word.",
"d3f:has-participant": {
"@id": "d3f:OTLogicVariable"
},
"rdfs:comment": [
"BACnet: confirmedCOVNotification\nBACnet: subscribeCOV\nBACnet: readProperty\nBACnet: readPropertyConditional\nBACnet: readPropertyMultiple\nBACnet: unconfirmedCOVNotification\nBACnet: readRange\nBACnet: subscribeCOVProperty\nBACnet: getEventInformation\nBACnet: subscribe-cov-property-multiple\nBACnet: confirmed-cov-notification-multiple\nBACnet: unconfirmed-cov-notification-multiple ",
"CIP: Get Attributes All\nCIP: Get Attribute List\nCIP: Get Attribute Single\nCIP: Find Next Object Instance\nCIP: Get Member ",
"GE-SRTP: READ SYSTEM MEMORY\nGE-SRTP: READ TASK MEMORY ",
"Modbus: Read Coils\nModbus: Read Discrete Inputs\nModbus: Read Holding Registers\nModbus: Read Input Registers\nModbus: Read FIFO Queue"
],
"rdfs:label": "OT Read Value Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTReadCommand"
},
{
"@id": "_:Nbbf78f6eede24f0d9f92b7879254ce03"
}
]
},
{
"@id": "_:Nbbf78f6eede24f0d9f92b7879254ce03",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTLogicVariable"
}
},
{
"@id": "d3f:T1649",
"@type": "owl:Class",
"d3f:attack-id": "T1649",
"d3f:definition": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)",
"rdfs:label": "Steal or Forge Authentication Certificates",
"rdfs:subClassOf": {
"@id": "d3f:CredentialAccessTechnique"
}
},
{
"@id": "d3f:Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US10873601B1"
},
"d3f:kb-abstract": "A decoy network-based service uses a decoy credential to lure an attacker to access the decoy network-based service, and monitors the attacker's activity with respect to the decoy network-based service to determine the attacker's motivation. In various examples, a decoy credential is published on an Internet-accessible site, and a system that provides a network-based service (e.g., a service provider network) subsequently receives an access request from a computing device that includes the decoy credential. Based on the decoy credential, the computing device may be provided access to a decoy network-based service, and application programming interface (API) calls made by the computing device may be routed through a decoy control plane. The data relating to the API calls may be stored and analyzed to determine a motivation of the attacker, which may be used in various downstream applications to improve security for customers of the network-based service.",
"d3f:kb-author": "Thomas Stickle",
"d3f:kb-mitre-analysis": "MITRE analysis was not found.",
"d3f:kb-organization": "Amazon Technologies",
"d3f:kb-reference-of": {
"@id": "d3f:DecoyUserCredential"
},
"d3f:kb-reference-title": "Decoy network-based service for deceiving attackers",
"rdfs:label": "Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologies"
},
{
"@id": "d3f:CWE-788",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-788",
"d3f:definition": "The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.",
"rdfs:label": "Access of Memory Location After End of Buffer",
"rdfs:subClassOf": {
"@id": "d3f:CWE-119"
}
},
{
"@id": "d3f:AccountLocking",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:AccountLocking"
],
"d3f:created": {
"@type": "xsd:dateTime",
"@value": "2020-08-05T00:00:00"
},
"d3f:d3fend-id": "D3-AL",
"d3f:definition": "The process of temporarily disabling user accounts on a system or domain.",
"d3f:disables": {
"@id": "d3f:UserAccount"
},
"d3f:kb-article": "## How it works\nManagement servers with enterprise policies for account management provide the ability to enable and disable account for given rules. The rules may include specific periods of time (eg. weekend, plant shutdown, leave periods), specific user types or groups, or individual users.\n\n## Considerations\n* Local accounts caches vs centralized account management\n* Single Sign-on\n* Role based vs Attribute based systems\n\n## Examples of account configuration stores\n* Directory Services\n* Active Directory\n* RADIUS\n* LDAP\n* Oracle User Account Management\n* JumpCloud",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies"
},
{
"@id": "d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp"
}
],
"rdfs:label": "Account Locking",
"rdfs:subClassOf": [
{
"@id": "d3f:CredentialEviction"
},
{
"@id": "_:Nb5f9165da6444e7c904916a17906cba8"
}
]
},
{
"@id": "_:Nb5f9165da6444e7c904916a17906cba8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:disables"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:ProcessAccessEvent",
"@type": "owl:Class",
"d3f:definition": "An event where one process interacts with another, such as reading memory, inspecting state, or altering behavior.",
"rdfs:label": "Process Access Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessEvent"
},
{
"@id": "_:Ne2792a03e6c543ebac7a4d2bb568e124"
}
]
},
{
"@id": "_:Ne2792a03e6c543ebac7a4d2bb568e124",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessCreationEvent"
}
},
{
"@id": "d3f:CWE-372",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-372",
"d3f:definition": "The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.",
"rdfs:label": "Incomplete Internal State Distinction",
"rdfs:subClassOf": {
"@id": "d3f:CWE-664"
}
},
{
"@id": "d3f:Hardware-basedProcessIsolation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:Hardware-basedProcessIsolation"
],
"d3f:d3fend-id": "D3-HBPI",
"d3f:definition": "Preventing one process from writing to the memory space of another process through hardware based address manager implementations.",
"d3f:isolates": {
"@id": "d3f:Process"
},
"d3f:kb-article": "## How it works\nProcess isolation, in this context, is address space separation controlled by a security function that limits the communication between processes so that one process cannot directly modify the executing code of another process. For example with virtual address space:\n\n* Process A address space is different from process B address space, which prevents process A from writing to process B\n\nHardware process isolation is commonly implemented through Direct Memory Access (DMA) which collaborates with a Memory Management Unit (MMU), or Input-Output Memory Management Unit (IOMMU). These hardware controls are deployed directly on processors to aid hosts or enclaves in process isolation.\n\n* DMA - Direct memory access allows memory access to occur independently of the program currently run by the microprocessor. DMA allows for I/O devices to directly read from and write to memory, or it can be used to efficiently copy blocks of memory. During DMA transfers, the microprocessor can execute an unrelated program.\n* MMU - A memory management unit acts as an access control and is responsible for performing the translation of virtual memory addresses to physical memory addresses. The MMU allocates each process its own virtual memory space.\n* IOMMU - An input-output memory management unit is used to allocate each I/O device its own virtual address space to the underlying physical addresses. IOMMU allows devices that do not support long memory addresses to address the entire memory space.\n\n## Considerations\n* Private hosts may be vulnerable to DMA attack if they have a PCI or PCI Express port that connects attached devices directly to physical address space.\n\n## Implementations:\n * Intel Virtualization Technology for Directed I/O (Intel VT-d)\n * Firecracker",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-VirtualizedProcessIsolation_AdvancedMicroDevicesInc"
},
{
"@id": "d3f:Reference-ApproachesForSecuringAnInternetEndpointUsingFine-grainedOperatingSystemVirtualization_Bromium,Inc."
},
{
"@id": "d3f:Reference-IsolationOfApplicationsWithinAVirtualMachine_Bromium,Inc."
}
],
"d3f:restricts": {
"@id": "d3f:CreateProcess"
},
"d3f:synonym": "Virtualization",
"rdfs:label": "Hardware-based Process Isolation",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutionIsolation"
},
{
"@id": "_:Nbdbf25a506eb4b7284ff1f2b6f967d88"
},
{
"@id": "_:Na688df6f6e6b42cc98bc7637d4089c1d"
}
]
},
{
"@id": "_:Nbdbf25a506eb4b7284ff1f2b6f967d88",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "_:Na688df6f6e6b42cc98bc7637d4089c1d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricts"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "d3f:UseCasePrerequisite",
"@type": "owl:Class",
"rdfs:label": "Use Case Prerequisite",
"rdfs:subClassOf": {
"@id": "d3f:Condition"
}
},
{
"@id": "d3f:WindowOpenFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Creates, opens, reopens, or deletes a file.",
"d3f:invokes": {
"@id": "d3f:WindowsNtOpenFile"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openfile"
},
"rdfs:label": "Windows OpenFile",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPICreateFile"
},
{
"@id": "d3f:OSAPIOpenFile"
},
{
"@id": "_:Nb41842b5e0b14ec7bde0dbe88a96fc07"
}
]
},
{
"@id": "_:Nb41842b5e0b14ec7bde0dbe88a96fc07",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtOpenFile"
}
},
{
"@id": "d3f:CWE-343",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-343",
"d3f:definition": "The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.",
"rdfs:label": "Predictable Value Range from Previous Values",
"rdfs:subClassOf": {
"@id": "d3f:CWE-340"
}
},
{
"@id": "d3f:powered-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x powered-by y: x obtains its essential energy or force from y to perform its function or remain active.",
"owl:inverseOf": {
"@id": "d3f:powers"
},
"rdfs:label": "powered-by",
"rdfs:subPropertyOf": {
"@id": "d3f:depends-on"
}
},
{
"@id": "d3f:CWE-590",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:cwe-id": "CWE-590",
"d3f:definition": "The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().",
"d3f:weakness-of": {
"@id": "d3f:MemoryFreeFunction"
},
"rdfs:label": "Free of Memory not on the Heap",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-762"
},
{
"@id": "_:N566f5abb61c24f85b86cba73def70284"
}
]
},
{
"@id": "_:N566f5abb61c24f85b86cba73def70284",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:weakness-of"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryFreeFunction"
}
},
{
"@id": "d3f:CCI-002382_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:Hardware-basedProcessIsolation"
},
{
"@id": "d3f:Kernel-basedProcessIsolation"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002382"
},
{
"@id": "d3f:CWE-108",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-108",
"d3f:definition": "Every Action Form must have a corresponding validation form.",
"rdfs:label": "Struts: Unvalidated Action Form",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1173"
}
},
{
"@id": "d3f:EventLogRestartEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the restarting of the event logging service, often performed during system maintenance or troubleshooting.",
"rdfs:label": "Event Log Restart Event",
"rdfs:subClassOf": [
{
"@id": "d3f:EventLogEvent"
},
{
"@id": "_:N5641467a60a9429c8c5b66cbcdc1f99b"
},
{
"@id": "_:N97bf5a4e6b7f4bc4b82908be3f353380"
}
]
},
{
"@id": "_:N5641467a60a9429c8c5b66cbcdc1f99b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:EventLogStopEvent"
}
},
{
"@id": "_:N97bf5a4e6b7f4bc4b82908be3f353380",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:precedes"
},
"owl:someValuesFrom": {
"@id": "d3f:EventLogStartEvent"
}
},
{
"@id": "d3f:BinaryClassification",
"@type": "owl:Class",
"rdfs:label": "Binary Classification",
"rdfs:subClassOf": {
"@id": "d3f:Classifying"
}
},
{
"@id": "d3f:CWE-1265",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1265",
"d3f:definition": "During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.",
"rdfs:label": "Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls",
"rdfs:subClassOf": {
"@id": "d3f:CWE-691"
}
},
{
"@id": "d3f:M1047",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:d3fend-comment": "M1047 scope is broad, touches on an wide variety of techniques in d3fend.",
"d3f:related": [
{
"@id": "d3f:DomainAccountMonitoring"
},
{
"@id": "d3f:LocalAccountMonitoring"
},
{
"@id": "d3f:SystemFileAnalysis"
}
],
"rdfs:label": "Audit"
},
{
"@id": "d3f:AgglomerativeClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-AC",
"d3f:definition": "Agglomerative Clustering is a type of hierarchical clustering method where data points are grouped together based on similarity. Initially, each data point is treated as an individual cluster, and then in successive iterations, the closest clusters are merged until only one large cluster remains or until a specified stopping criterion is met.",
"d3f:kb-article": "## How it works\n\nAgglomerative clustering starts with each data point as its own cluster. The algorithm then iterates, identifying the two clusters that are closest to each other based on a defined distance metric (e.g., Euclidean, Manhattan). These two clusters are then merged into a single cluster. This process continues iteratively, merging the closest pairs of clusters in each step until all data points are merged into a single cluster or until other stopping criteria are achieved. A dendrogram, which is a tree-like diagram, can be used to represent the sequence of merges, providing a visual representation of the hierarchical structure of data.\n\n## Considerations\n\n- **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan).\n\n- **Scalability**: Agglomerative clustering can be computationally intensive for large datasets.\n\n- **Sensitivity**: The method can be sensitive to outliers, which might affect the quality of the clusters formed.\n\n## Key Test Considerations\n\n- **Unsupervised Learning**:\n\n - **Number of Clusters**: Determine an optimal number of clusters using the dendrogram and techniques like the elbow method.\n\n- **Cluster Analysis**:\n\n - **Silhouette Score**: Evaluates how similar an object is to its own cluster compared to other clusters. A higher silhouette score indicates that the object is well matched to its own cluster and poorly matched to neighboring clusters.\n\n - **Dunn Index**: Measures the ratio between the smallest distance between observations not in the same cluster to the largest intra-cluster distance.\n\n- **Hierarchical Clustering**:\n\n - **Cophenetic Correlation Coefficient**: Measures the correlation between the distances of points in feature space and their distances on the dendrogram. Helps assess the fidelity of the dendrogram in preserving pairwise distances between samples.\n\n- **Agglomerative Clustering**:\n\n - **Linkage Criteria**: Test different linkage criteria (e.g., single, complete, average) to determine which produces the most cohesive clusters for the data at hand.\n\n ## Platforms, Tools, or Libraries\n\n- **scikit-learn**:\n\n - A versatile machine learning library in Python.\n\n - The `AgglomerativeClustering` class in scikit-learn provides this functionality.\n\n- **SciPy**:\n\n - A Python library used for scientific and technical computing.\n\n - The `scipy.cluster.hierarchy` module provides functions for hierarchical and\n agglomerative clustering, including the `linkage` and `dendrogram` functions.\n\n- **R**:\n\n - The `hclust` function in the stats package provides agglomerative clustering.\n\n - The `agnes` function in the `cluster` package offers a more extensive implementation.\n\n- **MATLAB**:\n\n - Offers the `linkage` function for hierarchical agglomerative clustering and `dendrogram` for visualization.\n\n- **Weka**:\n\n - A collection of machine learning algorithms for data mining tasks.\n\n - The `HierarchicalClusterer` class provides an implementation of agglomerative clustering.\n\n## References\n\n1. Jain, A. K., & Dubes, R. C. (1988). *Algorithms for clustering data*. Prentice-Hall, Inc.\n\n2. Murtagh, F., & Legendre, P. (2014). Ward’s hierarchical agglomerative clustering method: which algorithms implement Ward’s criterion?. *Journal of Classification*, 31(3), 274-295. [Link](https://link.springer.com/article/10.1007/s00357-014-9161-z).\n\n3. Scikit-learn. (30 Jun 2023). Scikit-learn Documentation: Agglomerative Clustering.\n[Link](https://scikit-learn.org/stable/modules/generated/sklearn.cluster.AgglomerativeClustering.html).",
"rdfs:label": "Agglomerative Clustering",
"rdfs:subClassOf": {
"@id": "d3f:HierarchicalClustering"
}
},
{
"@id": "d3f:T1578.005",
"@type": "owl:Class",
"d3f:attack-id": "T1578.005",
"d3f:definition": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.",
"rdfs:label": "Modify Cloud Compute Configurations",
"rdfs:subClassOf": {
"@id": "d3f:T1578"
}
},
{
"@id": "d3f:CWE-1276",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1276",
"d3f:definition": "Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.",
"rdfs:label": "Hardware Child Block Incorrectly Connected to Parent System",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:FileCreationEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the creation of a new file within the system, establishing its existence and initial attributes in the file system or storage medium.",
"rdfs:label": "File Creation Event",
"rdfs:subClassOf": {
"@id": "d3f:FileEvent"
}
},
{
"@id": "d3f:CWE-576",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-576",
"d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.",
"rdfs:label": "EJB Bad Practices: Use of Java I/O",
"rdfs:subClassOf": {
"@id": "d3f:CWE-695"
}
},
{
"@id": "d3f:CWE-587",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-587",
"d3f:definition": "The product sets a pointer to a specific address other than NULL or 0.",
"rdfs:label": "Assignment of a Fixed Address to a Pointer",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-344"
},
{
"@id": "d3f:CWE-758"
}
]
},
{
"@id": "d3f:T1584.003",
"@type": "owl:Class",
"d3f:attack-id": "T1584.003",
"d3f:definition": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)",
"rdfs:label": "Virtual Private Server",
"rdfs:subClassOf": {
"@id": "d3f:T1584"
}
},
{
"@id": "d3f:CWE-228",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-228",
"d3f:definition": "The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.",
"rdfs:label": "Improper Handling of Syntactically Invalid Structure",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-703"
},
{
"@id": "d3f:CWE-707"
}
]
},
{
"@id": "d3f:controlled-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x controlled-by y: x's operation or behavior is directed or regulated by y.",
"owl:inverseOf": {
"@id": "d3f:controls"
},
"rdfs:label": "controlled-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:d3fend-process-object-property",
"@type": "owl:ObjectProperty",
"rdfs:label": "d3fend-process-object-property",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-object-property"
}
},
{
"@id": "d3f:ComputeDeviceEvent",
"@type": "owl:Class",
"d3f:definition": "An event capturing the operation, state, or performance of computational hardware, such as CPUs, GPUs, or accelerators. These events reflect processing capacity changes, utilization anomalies, or device health.",
"rdfs:label": "Compute Device Event",
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDeviceEvent"
},
{
"@id": "_:N1612d4f90ebf48759f820b3a867bb327"
}
]
},
{
"@id": "_:N1612d4f90ebf48759f820b3a867bb327",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:Processor"
}
},
{
"@id": "d3f:FirmwareBehaviorAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FirmwareBehaviorAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:Firmware"
},
"d3f:d3fend-id": "D3-FBA",
"d3f:definition": "Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.",
"d3f:kb-article": "## How it works\nFirmware behavior analysis provides protections by ensuring that installed firmware has not been tampered with or modified. Firmware analysis applies to mutable firmware and immutable read-only memory (ROMs).\n\nFirmware in deployed network devices is typically not analyzed and monitored for vulnerabilities and thus is subject to potential attacks. This technique makes use of known and measured behavioral attributes, including timing attributes, of analyzed firmware on deployed devices.\n\nA behavioral method that employs known timing measurements may use the timing results from a challenge and response protocol to detect the presence of malware in embedded firmware. Firmware device timing measurements are made, specific to the installed device, and are used in the verifying function.\n\nThe original firmware image is modified by injecting a monitoring software component into the embedded firmware code. The injected software components will allow for a software root of trust, the challenge and response protocol, to be implement in the firmware.\n\nA challenge-response is issued and includes a nonce so that replays are not allowed. The firmware will calculate a checksum over all of memory, including the nonce, and return the result. The verification system will compare the computed checksum and the time it took for the computation of the checksum to determine if the firmware has been modified.\n\n## Considerations\n* The firmware code will need to be modified to include the behavioral monitoring functionality.\n* This technique is sensitive to the device the embedded firmware is hosted on and it is expected that the devices and firmware will need to be profiled and analyzed to determine timing estimation.\n* This technique is not expected to be one hundred percent correct as you would expect in a hardware root of trust solution and may require some tuning.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-FirmwareBehaviorAnalysisConFirm"
},
{
"@id": "d3f:Reference-FirmwareBehaviorAnalysisVIPER"
}
],
"d3f:synonym": "Firmware Timing Analysis",
"rdfs:label": "Firmware Behavior Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:PlatformMonitoring"
},
{
"@id": "_:N8660b79dba5647929c64fd7c52e75886"
}
]
},
{
"@id": "_:N8660b79dba5647929c64fd7c52e75886",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:Firmware"
}
},
{
"@id": "d3f:UserAccountCreationEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the creation of a new user account within a system or domain.",
"rdfs:label": "User Account Creation Event",
"rdfs:subClassOf": {
"@id": "d3f:UserAccountEvent"
}
},
{
"@id": "d3f:BooleanExpressionMatching",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BEM",
"d3f:definition": "Boolean expression matching produces a Boolean truth value for a given boolean expression and assignment of values to variables in the expression.",
"d3f:kb-article": "## How it works\nA Boolean expression is an expression used in programming languages that produces a Boolean value when evaluated. A Boolean value is either true or false. A Boolean expression may be composed of a combination of the Boolean constants true or false, Boolean-typed variables, Boolean-valued operators, and Boolean-valued functions.\n\nBoolean expressions correspond to propositional formulas in logic and are a special case of Boolean circuits.\n\n## References\n1. Boolean expression. (2022, April 25). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression)\n2. Boolean algebra. (2022, May 19). In _Wikipedia_.\n[Link](https://en.wikipedia.org/wiki/Boolean_expression)",
"rdfs:label": "Boolean Expression Matching",
"rdfs:subClassOf": {
"@id": "d3f:LogicalRules"
}
},
{
"@id": "d3f:SystemVulnerabilityAssessment",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:SystemVulnerabilityAssessment"
],
"d3f:d3fend-id": "D3-SYSVA",
"d3f:definition": "System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.",
"d3f:evaluates": {
"@id": "d3f:DigitalSystem"
},
"d3f:identifies": {
"@id": "d3f:Vulnerability"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase"
},
"rdfs:label": "System Vulnerability Assessment",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemMapping"
},
{
"@id": "_:N396926ca1abc4a199b3582e181659e21"
},
{
"@id": "_:N09009c1c240946d0bd765d61cfe24efe"
}
]
},
{
"@id": "_:N396926ca1abc4a199b3582e181659e21",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:evaluates"
},
"owl:someValuesFrom": {
"@id": "d3f:DigitalSystem"
}
},
{
"@id": "_:N09009c1c240946d0bd765d61cfe24efe",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:identifies"
},
"owl:someValuesFrom": {
"@id": "d3f:Vulnerability"
}
},
{
"@id": "d3f:CWE-467",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-467",
"d3f:definition": "The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.",
"rdfs:label": "Use of sizeof() on a Pointer Type",
"rdfs:subClassOf": {
"@id": "d3f:CWE-131"
}
},
{
"@id": "d3f:CCI-001403_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system automatically audits account modification actions.",
"d3f:exactly": {
"@id": "d3f:DomainAccountMonitoring"
},
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-24T00:00:00"
},
"rdfs:label": "CCI-001403"
},
{
"@id": "d3f:CWE-348",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-348",
"d3f:definition": "The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.",
"rdfs:label": "Use of Less Trusted Source",
"rdfs:subClassOf": {
"@id": "d3f:CWE-345"
}
},
{
"@id": "d3f:CWE-790",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-790",
"d3f:definition": "The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.",
"rdfs:label": "Improper Filtering of Special Elements",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:Higher-orderLogic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-HOL",
"d3f:definition": "Higher-order logic is a form of predicate logic that is distinguished from first-order logic by additional quantifiers and, sometimes, stronger semantics. Higher-order logics with their standard semantics are more expressive, but their model-theoretic properties are less well-behaved than those of first-order logic.",
"d3f:kb-article": "## References\n1. Higher-order logic. (2023, May 13). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Higher-order_logic)",
"d3f:synonym": "HOL",
"rdfs:label": "Higher-order Logic",
"rdfs:subClassOf": {
"@id": "d3f:PredicateLogic"
}
},
{
"@id": "d3f:URLAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:URLAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:URL"
},
"d3f:d3fend-id": "D3-UA",
"d3f:definition": "Determining if a URL is benign or malicious by analyzing the URL or its components.",
"d3f:kb-article": "## How it works\n\nURLs may contain components, for example:\n\n * scheme\n * userinfo\n * host name\n * port\n * path\n * query\n * fragment\n\nThese components are used as features in analysis algorithms.\n\nContextual information about a URL such as where it is embedded (ex. emails, files, network protocols), header, path, location, and origin information, as well as information about the content returned from the URL request, may be incorporated into an analytic for URL analysis. For example, if a URL indicates a .pdf file but an executable is actually returned, the combination of these two pieces of information indicates suspicious activity.\n\nAdditional techniques include:\n\n* Extracting features of a URL such as domain name length, ratio of consecutive consonants, percentage of digits in a domain, and number of vowels. Values for each feature are combined to develop a score for the URL.\n* Determining the probability of a character occurring in the URL given the preceding two characters. For example, for google.com, the probability of a 'g' occurring at the beginning of a word, the probability of an 'o' occurring after a \"g, the probability of an o\" occurring after a 'g' and \"o, and so forth. A dictionary or a list of known good domains is used to determine probability. Probabilities are multiplied to develop a score for the URL.\n\nURL analysis may trigger follow-on analytics such as **File Analysis**\n\n## Considerations\n\n* Volume of URLs being analyzed, combined with the speed at which they are analyzed\n* Fidelity of analysis technique at detecting brand new URLs versus analyzing URLs of established domains",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-MethodAndApparatusForDetectingMaliciousWebsites_EndgameInc"
},
{
"@id": "d3f:Reference-MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd"
}
],
"rdfs:label": "URL Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:IdentifierAnalysis"
},
{
"@id": "_:N95df0c68c9164e0c92e36323f5b1c8ba"
}
]
},
{
"@id": "_:N95df0c68c9164e0c92e36323f5b1c8ba",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:URL"
}
},
{
"@id": "d3f:CWE-1104",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1104",
"d3f:definition": "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.",
"rdfs:label": "Use of Unmaintained Third Party Components",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1357"
}
},
{
"@id": "d3f:CWE-686",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-686",
"d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.",
"rdfs:label": "Function Call With Incorrect Argument Type",
"rdfs:subClassOf": {
"@id": "d3f:CWE-628"
}
},
{
"@id": "d3f:T1204.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:URL"
},
"d3f:attack-id": "T1204.001",
"d3f:definition": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
"d3f:produces": {
"@id": "d3f:OutboundInternetWebTraffic"
},
"rdfs:label": "Malicious Link",
"rdfs:subClassOf": [
{
"@id": "d3f:T1204"
},
{
"@id": "_:N73ef1672b2544ad08223f20d9a6a9afb"
},
{
"@id": "_:N98485dfb59d44ae084fcb204462c3af6"
}
]
},
{
"@id": "_:N73ef1672b2544ad08223f20d9a6a9afb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:URL"
}
},
{
"@id": "_:N98485dfb59d44ae084fcb204462c3af6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetWebTraffic"
}
},
{
"@id": "d3f:CWE-323",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-323",
"d3f:definition": "Nonces should be used for the present occasion and only once.",
"rdfs:label": "Reusing a Nonce, Key Pair in Encryption",
"rdfs:subClassOf": {
"@id": "d3f:CWE-344"
}
},
{
"@id": "d3f:CWE-616",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-616",
"d3f:definition": "The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.",
"rdfs:label": "Incomplete Identification of Uploaded File Variables (PHP)",
"rdfs:subClassOf": {
"@id": "d3f:CWE-345"
}
},
{
"@id": "d3f:BootstrapAggregating",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BA",
"d3f:definition": "Bootstrap aggregating, also called bagging (from bootstrap aggregating), is a machine learning ensemble meta-algorithm designed to improve the stability and accuracy of machine learning algorithms used in statistical classification and regression. It also reduces variance and helps to avoid overfitting. Although it is usually applied to decision tree methods, it can be used with any type of method. Bagging is a special case of the model averaging approach.",
"d3f:kb-article": "## References\nBootstrap aggregating. Wikipedia. [Link](https://en.wikipedia.org/wiki/Bootstrap_aggregating).",
"rdfs:label": "Bootstrap Aggregating",
"rdfs:subClassOf": {
"@id": "d3f:ResamplingEnsemble"
}
},
{
"@id": "d3f:CloudServiceAuthorization",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Cloud authorization is the function of specifying access rights to cloud resources.",
"rdfs:label": "Cloud Service Authorization",
"rdfs:subClassOf": {
"@id": "d3f:Authorization"
}
},
{
"@id": "d3f:Sensor",
"@type": "owl:Class",
"d3f:definition": "In the broadest definition, a sensor is a device, module, machine, or subsystem that detects events or changes in its environment and sends the information to other electronics, frequently a computer.",
"rdfs:label": "Sensor",
"rdfs:seeAlso": {
"@id": "https://en.wikipedia.org/wiki/Sensor"
},
"rdfs:subClassOf": [
{
"@id": "d3f:D3FENDCore"
},
{
"@id": "d3f:DigitalInformationBearer"
}
]
},
{
"@id": "d3f:has-link",
"@type": "owl:DatatypeProperty",
"d3f:definition": "x has-link y: The d3fend analysis x has the link y.",
"rdfs:label": "has-link",
"rdfs:range": {
"@id": "xsd:anyURI"
},
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-kb-data-property"
}
},
{
"@id": "d3f:EventLogArchiveEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving the archiving of event log data, typically to preserve historical records in a compressed or secure format.",
"rdfs:label": "Event Log Archive Event",
"rdfs:subClassOf": {
"@id": "d3f:EventLogEvent"
}
},
{
"@id": "d3f:NTFSSymbolicLink",
"@type": "owl:Class",
"d3f:definition": "An NTFS symbolic link records the path of another file that the links contents should show. Can accept relative paths. SMB networking (UNC path) and directory support added in NTFS 3.1.",
"rdfs:isDefinedBy": {
"@id": "dbr:NTFS_links"
},
"rdfs:label": "NTFS Symbolic Link",
"rdfs:subClassOf": [
{
"@id": "d3f:NTFSLink"
},
{
"@id": "d3f:SymbolicLink"
}
],
"skos:altLabel": "NTFS Symlink"
},
{
"@id": "d3f:CWE-1083",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1083",
"d3f:definition": "The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.",
"rdfs:label": "Data Access from Outside Expected Data Manager Component",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1061"
}
},
{
"@id": "d3f:CWE-246",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-246",
"d3f:definition": "The J2EE application directly uses sockets instead of using framework method calls.",
"rdfs:label": "J2EE Bad Practices: Direct Use of Sockets",
"rdfs:subClassOf": {
"@id": "d3f:CWE-695"
}
},
{
"@id": "d3f:CWE-562",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-562",
"d3f:definition": "A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.",
"rdfs:label": "Return of Stack Variable Address",
"rdfs:subClassOf": {
"@id": "d3f:CWE-758"
}
},
{
"@id": "d3f:T1082",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1082",
"d3f:definition": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
"d3f:may-access": {
"@id": "d3f:DecoyArtifact"
},
"d3f:may-invoke": {
"@id": "d3f:CreateProcess"
},
"rdfs:label": "System Information Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:DiscoveryTechnique"
},
{
"@id": "_:Nc88df34f7f7a438ab65ae97b885e6c45"
},
{
"@id": "_:N41ab97b72c164815ac56e98cd9de5628"
}
]
},
{
"@id": "_:Nc88df34f7f7a438ab65ae97b885e6c45",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-access"
},
"owl:someValuesFrom": {
"@id": "d3f:DecoyArtifact"
}
},
{
"@id": "_:N41ab97b72c164815ac56e98cd9de5628",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "d3f:GetOpenWindows",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"rdfs:label": "Get Open Windows",
"rdfs:subClassOf": {
"@id": "d3f:SystemCall"
}
},
{
"@id": "d3f:T1075",
"@type": "owl:Class",
"d3f:attack-id": "T1075",
"d3f:definition": "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1550.002",
"rdfs:label": "Pass the Hash",
"rdfs:seeAlso": "T1550.002",
"rdfs:subClassOf": {
"@id": "d3f:LateralMovementTechnique"
}
},
{
"@id": "d3f:Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US10848519B2/"
},
"d3f:kb-abstract": "Methods and systems for Predictive Malware Defense (PMD) are described. The systems and methods can utilize advanced machine-learning (ML) techniques to generate malware defenses preemptively. Embodiments of PMD can utilize models, which are trained on features extracted from malware families, to predict possible courses of malware evolution. PMD captures these predicted future evolutions in signatures of as yet unseen malware variants to function as a malware vaccine. These signatures of predicted future malware “evolutions” can be added to the training set of a machine-learning (ML) based malware detection and/or mitigation system so that it can detect these new variants as they arrive.",
"d3f:kb-author": "Michael Howard, Avi Pfeifer, Mukesh Dalal, Michael Reposa",
"d3f:kb-organization": "Charles River Analytics Inc.",
"d3f:kb-reference-of": {
"@id": "d3f:FileContentAnalysis"
},
"d3f:kb-reference-title": "Cyber vaccine and predictive-malware-defense methods and systems",
"rdfs:label": "Reference - Cyber vaccine and predictive-malware-defense methods and systems"
},
{
"@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/GB2317539A"
},
"d3f:kb-abstract": "Regulating the flow of internetwork connections through a firewall (10) having a network protocol stack (14,16,18) which includes an Internet Protocol (IP) layer (16). A determination is made of the parameters characteristic of a connection request, including a netelement parameter characteristic of where the connection request came from. A query is generated and a determination is made whether there is a rule corresponding to that query. If there is a rule corresponding to the query, a determination is made whether authentication is required by the rule. If authentication is required by the rule, an authentication protocol is activated and the connection is activated if the authentication protocol is completed successfully.",
"d3f:kb-author": "Edward B Stockwell, Alan E Klietz",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Secure Computing LLC",
"d3f:kb-reference-of": {
"@id": "d3f:InboundTrafficFiltering"
},
"d3f:kb-reference-title": "Firewall for interent access",
"rdfs:label": "Reference - Firewall for interent access - Secure Computing LLC"
},
{
"@id": "d3f:CWE-468",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-468",
"d3f:definition": "In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.",
"rdfs:label": "Incorrect Pointer Scaling",
"rdfs:subClassOf": {
"@id": "d3f:CWE-682"
}
},
{
"@id": "d3f:CWE-1279",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1279",
"d3f:definition": "Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.",
"rdfs:label": "Cryptographic Operations are run Before Supporting Units are Ready",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-665"
},
{
"@id": "d3f:CWE-696"
}
]
},
{
"@id": "d3f:T1027.009",
"@type": "owl:Class",
"d3f:attack-id": "T1027.009",
"d3f:definition": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)",
"rdfs:label": "Embedded Payloads",
"rdfs:subClassOf": {
"@id": "d3f:T1027"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5",
"@type": [
"owl:NamedIndividual",
"d3f:NISTSP800-53ControlCatalog"
],
"d3f:archived-at": {
"@type": "xsd:anyURI",
"@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"
},
"d3f:has-member": [
{
"@id": "d3f:NIST_SP_800-53_R5_AC-17_8"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-23"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-24"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-24_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-24_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_13"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_7"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-2_9"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_11"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_13"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_7"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-3_8"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_10"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_11"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_12"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_13"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_14"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_15"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_17"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_19"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_20"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_21"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_26"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_27"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_28"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_29"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_30"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_32"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_8"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_10"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_9"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-7"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-7_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-7_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-10_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-14_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-15"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-2_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-2_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-14"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-5_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-5_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-5_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-5_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_CM-6_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_IA-2_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_IA-2_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_IA-2_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_IA-2_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_IR-4_12"
},
{
"@id": "d3f:NIST_SP_800-53_R5_IR-4_13"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-3_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-3_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-3_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-3_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-4_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-6_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-6_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-6_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-3_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-3_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_RA-5_7"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-10_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-10_3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-10_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-10_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-10_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-11_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-11_8"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-8_18"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SA-8_22"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SC-2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SC-2_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SC-3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SC-3_1"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-2_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-2_5"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-2_6"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3_10"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3_4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3_8"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-4"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-4_2"
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-4_4"
}
],
"d3f:version": 5,
"rdfs:label": "NIST SP 800-53 R5",
"rdfs:seeAlso": {
"@id": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"
}
},
{
"@id": "d3f:AuthenticationFunction",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:authenticates": {
"@id": "d3f:UserAccount"
},
"d3f:definition": "Authenticates a user account by verifying a presented credential.",
"rdfs:label": "Authentication Function",
"rdfs:subClassOf": [
{
"@id": "d3f:Subroutine"
},
{
"@id": "_:Na502463223bb47c7894621f3ded8f3f5"
}
]
},
{
"@id": "_:Na502463223bb47c7894621f3ded8f3f5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:authenticates"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2015-04-002/"
},
"d3f:kb-abstract": "An adversary can move laterally using the schtasks command to remotely schedule tasks. Although these events can be detected with command line analytics CAR-2013-08-001, it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established (CAR-2014-05-001), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.\n\nCertain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats\n\n* UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)\n* Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)\n* ASCII IYD@$621 (printable bytes only)\n\nThis identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.",
"d3f:kb-author": "MITRE",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:RPCTrafficAnalysis"
},
"d3f:kb-reference-title": "CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks",
"rdfs:label": "Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITRE"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-5",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": [
{
"@id": "d3f:LocalFilePermissions"
},
{
"@id": "d3f:UserAccountPermissions"
}
],
"d3f:control-name": "Separation of Duties",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-5"
},
{
"@id": "d3f:process-property",
"@type": "owl:ObjectProperty",
"d3f:definition": "x process-property y: Process x has the a process-property y. This is generalization for specific process object properties.",
"rdfs:label": "process-property",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:CWE-1042",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1042",
"d3f:definition": "The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.",
"rdfs:label": "Static Member Data Element outside of a Singleton Class Element",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1176"
}
},
{
"@id": "d3f:Hardware-basedWriteProtection",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:Hardware-basedWriteProtection"
],
"d3f:d3fend-id": "D3-HBWP",
"d3f:definition": "Physical methods of preventing data from being written to computer storage.",
"d3f:hardens": {
"@id": "d3f:Storage"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-WhatisHardwareWriteProtect"
},
"rdfs:label": "Hardware-based Write Protection",
"rdfs:subClassOf": [
{
"@id": "d3f:PlatformHardening"
},
{
"@id": "_:Nee371d177c254c998031a7368b1c8101"
}
]
},
{
"@id": "_:Nee371d177c254c998031a7368b1c8101",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:hardens"
},
"owl:someValuesFrom": {
"@id": "d3f:Storage"
}
},
{
"@id": "d3f:TA0007",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:OffensiveTactic"
],
"d3f:definition": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.",
"d3f:display-order": 7,
"rdfs:label": "Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:ATTACKEnterpriseTactic"
},
{
"@id": "d3f:OffensiveTactic"
}
]
},
{
"@id": "d3f:OTReadFileCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Reads data in specified chuncks or the contents of a specified file stored in the file device connected to the PC.",
"d3f:has-participant": {
"@id": "d3f:File"
},
"rdfs:comment": [
"BACnet: atomicReadFile",
"Modbus: Read File Record"
],
"rdfs:label": "OT Read File Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTReadCommand"
},
{
"@id": "_:Nec75919e519c480f9fee04fb2090a1ab"
}
]
},
{
"@id": "_:Nec75919e519c480f9fee04fb2090a1ab",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:Reference-SystemAndMethodForProcessHollowingDetection_CarbonBlackInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20170272462A1"
},
"d3f:kb-abstract": "A method and system for remediating a process hollowing intrusion on a user device comprising detecting a process starting on the user device, preparing the process to monitor Application Programming Interface (API) calls between the process and an operating system of the user device, determining whether the process is associated with a process hollowing intrusion based on information associated with the process and/or the API calls, and executing security policies against the process associated with the process hollowing intrusion. In examples, it is determined whether the child process is associated with a process hollowing intrusion in response to determining whether one or more API calls associated with known process hollowing intrusions modify executable memory of and/or modify an entry point address of the child process.",
"d3f:kb-author": "Jeffrey Albin Kraemer, Paul Matthew Drapeau",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Carbon Black Inc",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSelf-ModificationDetection"
},
"d3f:kb-reference-title": "System and Method for Process Hollowing Detection",
"rdfs:label": "Reference - System and Method for Process Hollowing Detection - Carbon Black Inc"
},
{
"@id": "d3f:Shim",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "In computer programming, a shim is a small library that transparently intercepts API calls and changes the arguments passed, handles the operation itself, or redirects the operation elsewhere. Shims can be used to support an old API in a newer environment, or a new API in an older environment. Shims can also be used for running programs on different software platforms than those for which they were developed.",
"rdfs:isDefinedBy": {
"@id": "dbr:Shim_(computing)"
},
"rdfs:label": "Shim",
"rdfs:subClassOf": {
"@id": "d3f:Software"
}
},
{
"@id": "d3f:WindowsVirtualFree",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Releases, decommits, or releases and decommits a region of pages within the virtual address space of the calling process.",
"d3f:invokes": {
"@id": "d3f:WindowsNtFreeVirtualMemory"
},
"rdfs:isDefinedBy": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree"
},
"rdfs:label": "Windows VirtualFree",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPIFreeMemory"
},
{
"@id": "_:Nbf5966a2ab1045e0aa60914e61083bd6"
}
]
},
{
"@id": "_:Nbf5966a2ab1045e0aa60914e61083bd6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:WindowsNtFreeVirtualMemory"
}
},
{
"@id": "d3f:Reference-RemotelyTriggeredBlackHoleFiltering-Cisco",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf"
},
"d3f:kb-organization": "Cisco",
"d3f:kb-reference-title": "Remotely Triggered Black Hole Filtering - Destination Based and Source Based",
"rdfs:label": "Reference - Remotely Triggered Black Hole FIltering - Cisco"
},
{
"@id": "d3f:DisplayServer",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A display server or window server is a program whose primary task is to coordinate the input and output of its clients to and from the rest of the operating system, the hardware, and each other. The display server communicates with its clients over the display server protocol, a communications protocol, which can be network-transparent or simply network-capable. The display server is a key component in any graphical user interface, specifically the windowing system.",
"rdfs:isDefinedBy": {
"@id": "dbr:Display_server"
},
"rdfs:label": "Display Server",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
},
"skos:altLabel": "Window Server"
},
{
"@id": "d3f:CCI-002307_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:SystemConfigurationPermissions"
},
{
"@id": "d3f:UserAccountPermissions"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002307"
},
{
"@id": "d3f:IPCTrafficAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IPCTrafficAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:IntranetIPCNetworkTraffic"
},
"d3f:d3fend-id": "D3-IPCTA",
"d3f:definition": "Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.",
"d3f:kb-article": "## How it works\nInter process communication enables applications or threads to share data. This can involve one or more computers. Monitoring IPC in your environment can reveal abnormal or malicious activity.\nIPC can occur within a single computer or between multiple computers remotely through network protocols. Thus there are multiple ways to collect and monitor these exchanges between processes. A network protocol analyzer may monitor and parse SMB network traffic to record system activity. A host based monitoring agent may monitor IPC activity contained within a single host to look for deviations from standard usages.\n\n### Examples\n * SMB\n * Zeromq\n * Java RMI API\n\n## Considerations\n* IPC can generate substantial amounts of data, and it may not be feasible to collect all of it.\n* IPC may occur over loopback interfaces or direct memory access granted by the operating system.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-SMBCopyAndExecution_MITRE"
},
{
"@id": "d3f:Reference-SMBEventsMonitoring_MITRE"
},
{
"@id": "d3f:Reference-SMBSessionSetups_MITRE"
},
{
"@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE"
},
{
"@id": "d3f:Reference-SMBWriteRequest_MITRE"
},
{
"@id": "d3f:Reference-SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc"
},
{
"@id": "d3f:Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT_MITRE"
}
],
"d3f:synonym": "IPC Analysis",
"rdfs:label": "IPC Traffic Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "_:N517a726ea74142b489a4e80784f7e308"
}
]
},
{
"@id": "_:N517a726ea74142b489a4e80784f7e308",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:IntranetIPCNetworkTraffic"
}
},
{
"@id": "d3f:OTReadDeviceConfigurationDataCommand",
"@type": "owl:Class",
"d3f:definition": "Read device configuration.",
"rdfs:comment": [
"BACnet: deviceCommunicationControl",
"GE-SRTP: READ PROGRAM MEMORY"
],
"rdfs:label": "OT Read Device Configuration Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTDeviceConfigurationCommand"
}
},
{
"@id": "d3f:OrganizationMapping",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:OrganizationMapping"
],
"d3f:d3fend-id": "D3-OM",
"d3f:definition": "Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.",
"d3f:display-order": 4,
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CatiaUAFPlugin"
},
{
"@id": "d3f:Reference-OrganizationalManagementInSAPERPHCM"
},
{
"@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
}
],
"d3f:maps": [
{
"@id": "d3f:Dependency"
},
{
"@id": "d3f:Organization"
},
{
"@id": "d3f:Person"
}
],
"d3f:may-map": {
"@id": "d3f:OrganizationalActivity"
},
"rdfs:label": "Organization Mapping",
"rdfs:subClassOf": [
{
"@id": "d3f:OperationalActivityMapping"
},
{
"@id": "_:Ne7c904c96fdc45349878c26a48b14dcc"
},
{
"@id": "_:Nda9a86dea35749d4ac4d57c8fc94fcd8"
},
{
"@id": "_:N1240ce3ba7cb459f87076844552058bc"
},
{
"@id": "_:Nec0efb4d0a3a4a7791f06158f868a510"
}
]
},
{
"@id": "_:Ne7c904c96fdc45349878c26a48b14dcc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:maps"
},
"owl:someValuesFrom": {
"@id": "d3f:Dependency"
}
},
{
"@id": "_:Nda9a86dea35749d4ac4d57c8fc94fcd8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:maps"
},
"owl:someValuesFrom": {
"@id": "d3f:Organization"
}
},
{
"@id": "_:N1240ce3ba7cb459f87076844552058bc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:maps"
},
"owl:someValuesFrom": {
"@id": "d3f:Person"
}
},
{
"@id": "_:Nec0efb4d0a3a4a7791f06158f868a510",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-map"
},
"owl:someValuesFrom": {
"@id": "d3f:OrganizationalActivity"
}
},
{
"@id": "d3f:T1136.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1136.001",
"d3f:creates": {
"@id": "d3f:LocalUserAccount"
},
"d3f:definition": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.",
"rdfs:label": "Local Account",
"rdfs:subClassOf": [
{
"@id": "d3f:T1136"
},
{
"@id": "_:Nee68c67d9bb34e8d932665587e1550a2"
}
]
},
{
"@id": "_:Nee68c67d9bb34e8d932665587e1550a2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:LocalUserAccount"
}
},
{
"@id": "d3f:CCI-002145_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002145"
},
{
"@id": "d3f:T1193",
"@type": "owl:Class",
"d3f:attack-id": "T1193",
"d3f:definition": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1566.001",
"rdfs:label": "Spearphishing Attachment",
"rdfs:seeAlso": "T1566.001",
"rdfs:subClassOf": {
"@id": "d3f:InitialAccessTechnique"
}
},
{
"@id": "d3f:addressed-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x addressed-by y: Relates a resource x (e.g., network host, peripheral device, disk sector, a memory cell or other logical or physical entity) to a discrete address y in an address space that points to it.",
"owl:inverseOf": {
"@id": "d3f:addresses"
},
"rdfs:label": "addressed-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:MultipleRegression",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-MR",
"d3f:definition": "Multiple (linear) regression attempts to model the relationship between two or more explanatory variables and a response variable by fitting a linear equation to observed data.",
"d3f:kb-article": "## References\nYale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)",
"d3f:synonym": "Multiple Linear Regression",
"rdfs:label": "Multiple Regression",
"rdfs:subClassOf": {
"@id": "d3f:RegressionAnalysis"
}
},
{
"@id": "d3f:CCI-002729_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:DriverLoadIntegrityChecking"
},
{
"@id": "d3f:TPMBootIntegrity"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002729"
},
{
"@id": "d3f:CWE-1204",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1204",
"d3f:definition": "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.",
"rdfs:label": "Generation of Weak Initialization Vector (IV)",
"rdfs:subClassOf": {
"@id": "d3f:CWE-330"
}
},
{
"@id": "d3f:CWE-1392",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1392",
"d3f:definition": "The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.",
"rdfs:label": "Use of Default Credentials",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1391"
}
},
{
"@id": "d3f:Reference-ComputingApparatusWithAutomaticIntegrityReferenceGenerationAndMaintenance_Tripwire,Inc.",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20040060046A1"
},
"d3f:kb-abstract": "An apparatus is equipped to automatically update one or more integrity references of a software entity, when the software entity is installed onto the apparatus. The apparatus is further equipped to periodically determine whether the integrity of the apparatus has been compromised based at least in part on the one or more integrity references of the software entity that are automatically updated during installation of the software entity.",
"d3f:kb-author": "Thomas Good, Robert DiFalco, Gene Kim",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Tripwire, Inc.",
"d3f:kb-reference-of": {
"@id": "d3f:ExecutableAllowlisting"
},
"d3f:kb-reference-title": "Computing apparatus with automatic integrity reference generation and maintenance",
"rdfs:label": "Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc."
},
{
"@id": "d3f:unmounts",
"@type": "owl:ObjectProperty",
"d3f:definition": "x unmounts y: An operation x removes the access via computer system's file system the availability of files and directories on a storage artifact y. Unmounts reverse or undo prior mount operations.",
"rdfs:label": "unmounts",
"rdfs:seeAlso": {
"@id": "dbr:Mount_(computing)"
},
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:T1203",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1203",
"d3f:definition": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.",
"d3f:modifies": [
{
"@id": "d3f:ProcessCodeSegment"
},
{
"@id": "d3f:StackFrame"
}
],
"rdfs:label": "Exploitation for Client Execution",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutionTechnique"
},
{
"@id": "_:N25b90c6156c54c819ee9e6f7fc1e30e8"
},
{
"@id": "_:N5cfbca6c0fb64e51bbdfa9890fad3dcb"
}
]
},
{
"@id": "_:N25b90c6156c54c819ee9e6f7fc1e30e8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessCodeSegment"
}
},
{
"@id": "_:N5cfbca6c0fb64e51bbdfa9890fad3dcb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:StackFrame"
}
},
{
"@id": "d3f:CertificateTrustStore",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:Certificate"
},
"d3f:definition": "A certificate truststore is used to store public certificates used to authenticate clients by the server for an SSL connection.",
"rdfs:label": "Certificate Trust Store",
"rdfs:seeAlso": [
{
"@id": "dbr:Public_key_certificate"
},
{
"@id": "https://www.educative.io/edpresso/keystore-vs-truststore"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:TrustStore"
},
{
"@id": "_:N28a5a213c3b64be1bb30a664818d07c7"
}
]
},
{
"@id": "_:N28a5a213c3b64be1bb30a664818d07c7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:Certificate"
}
},
{
"@id": "d3f:T1124",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1124",
"d3f:definition": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)",
"d3f:may-invoke": [
{
"@id": "d3f:CreateProcess"
},
{
"@id": "d3f:GetSystemTime"
}
],
"rdfs:label": "System Time Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:DiscoveryTechnique"
},
{
"@id": "_:N633d43c3686342a8a1f95368bcd8052d"
},
{
"@id": "_:N4ef55a0cf1f84ff5b474113b3a77a6de"
}
]
},
{
"@id": "_:N633d43c3686342a8a1f95368bcd8052d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "_:N4ef55a0cf1f84ff5b474113b3a77a6de",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:GetSystemTime"
}
},
{
"@id": "d3f:BitmapImageFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:BitmapImage"
},
"d3f:definition": "A file that contains graphics data represented in a bitmap.",
"rdfs:label": "Bitmap Image File",
"rdfs:subClassOf": [
{
"@id": "d3f:ImageFile"
},
{
"@id": "_:N378a226fb9d24fd9914c786facc574c1"
}
]
},
{
"@id": "_:N378a226fb9d24fd9914c786facc574c1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:BitmapImage"
}
},
{
"@id": "d3f:OpticalModem",
"@type": "owl:Class",
"d3f:definition": "A modem that connects to a fiber optic network is known as an optical network terminal (ONT) or optical network unit (ONU). These are commonly used in fiber to the home installations, installed inside or outside a house to convert the optical medium to a copper Ethernet interface, after which a router or gateway is often installed to perform authentication, routing, NAT, and other typical consumer internet functions, in addition to \"triple play\" features such as telephony and television service.",
"rdfs:isDefinedBy": {
"@id": "http://dbpedia.org/resource/Modem#Optical_modem"
},
"rdfs:label": "Optical Modem",
"rdfs:subClassOf": {
"@id": "d3f:Modem"
}
},
{
"@id": "d3f:powers",
"@type": "owl:ObjectProperty",
"d3f:definition": "x powers y: x furnishes y with the energy or force required for y's functionality or operation.",
"rdfs:label": "powers",
"rdfs:subPropertyOf": {
"@id": "d3f:has-dependent"
}
},
{
"@id": "d3f:RestoreUserAccountAccess",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RestoreUserAccountAccess"
],
"d3f:d3fend-id": "D3-RUAA",
"d3f:definition": "Restoring a user account's access to resources.",
"d3f:kb-reference": {
"@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
},
"d3f:restores": {
"@id": "d3f:UserAccount"
},
"rdfs:label": "Restore User Account Access",
"rdfs:subClassOf": [
{
"@id": "d3f:RestoreAccess"
},
{
"@id": "_:N5138a36dca5b40e09c4132d525dcabd5"
}
]
},
{
"@id": "_:N5138a36dca5b40e09c4132d525dcabd5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restores"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:may-interpret",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may-interpret y: They entity x may interpret the thing y; that is, 'x interprets y' may be true.",
"rdfs:label": "may-interpret",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:may-be-accessed-by",
"@type": "owl:ObjectProperty",
"rdfs:label": "may-be-accessed-by",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:UserProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A user process is a process running to perform functions in the name of on particular user and user account, such as run an application or application service serving any number users. This is in contrast to a system process, which executes software to fulfill operating system functions.",
"rdfs:label": "User Process",
"rdfs:subClassOf": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:CCI-002381_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:Hardware-basedProcessIsolation"
},
{
"@id": "d3f:Kernel-basedProcessIsolation"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002381"
},
{
"@id": "d3f:ScheduledJobUpdateEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an existing scheduled task is updated, altering parameters such as timing, conditions, or actions.",
"rdfs:label": "Scheduled Job Update Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ScheduledJobEvent"
},
{
"@id": "_:Nff72939c4d414cc1a275baced575ddae"
}
]
},
{
"@id": "_:Nff72939c4d414cc1a275baced575ddae",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ScheduledJobCreationEvent"
}
},
{
"@id": "d3f:DS0010",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs",
"d3f:exactly": {
"@id": "d3f:CloudStorage"
},
"rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Cloud Storage Metadata component",
"rdfs:label": "Cloud Storage (ATT&CK DS)"
},
{
"@id": "d3f:PowerThermalDeviceEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving power supplies, batteries, or thermal management devices. These events represent changes in power states, temperature thresholds, or cooling system activity.",
"rdfs:label": "Power and Thermal Device Event",
"rdfs:subClassOf": [
{
"@id": "d3f:HardwareDeviceEvent"
},
{
"@id": "_:Nf5544b4a4fea4c8c96b4a2275c83bc9a"
}
]
},
{
"@id": "_:Nf5544b4a4fea4c8c96b4a2275c83bc9a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:Sensor"
}
},
{
"@id": "d3f:Reference-SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20190018962A1/en?oq=15648887"
},
"d3f:kb-abstract": "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in volatile memory of a computing device before the instructions are executed. The malicious code detection module identifies an executable file, such as an .exe file, in memory, validates one or more components of the executable file against the same file stored in non-volatile storage, and issues an alert if the validation fails.",
"d3f:kb-author": "Joseph W. Desimone",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Endgame Inc",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessCodeSegmentVerification"
},
"d3f:kb-reference-title": "System and method for validating in-memory integrity of executable files to identify malicious activity",
"rdfs:label": "Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Inc"
},
{
"@id": "d3f:NIST_SP_800-53_R5_MA-3_5",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Maintenance Tools | Execution with Privilege",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:UserAccountPermissions"
},
"rdfs:label": "MA-3(5)"
},
{
"@id": "d3f:T1021.002",
"@type": "owl:Class",
"d3f:attack-id": "T1021.002",
"d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.",
"rdfs:label": "SMB/Windows Admin Shares",
"rdfs:subClassOf": {
"@id": "d3f:T1021"
}
},
{
"@id": "d3f:LinuxPauseThread",
"@type": "owl:Class",
"d3f:definition": "Causes the calling thread to sleep until a signal is delivered that either terminates the thread or causes the invocation of a signal-catching function.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/pause.2.html"
},
"rdfs:label": "Linux Pause Thread",
"rdfs:subClassOf": {
"@id": "d3f:OSAPISuspendThread"
}
},
{
"@id": "d3f:FileContentBlockData",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "The actual content or main data within a file or data block.",
"rdfs:label": "File Content Block Data",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformation"
}
},
{
"@id": "d3f:KerberosTicketGrantingServiceTicket",
"@type": "owl:Class",
"d3f:definition": "A Kerberos ticket-granting service (TGS) ticket is given in response to requesting a Kerberos TGS request.",
"rdfs:label": "Kerberos Ticket Granting Service Ticket",
"rdfs:subClassOf": {
"@id": "d3f:KerberosTicket"
},
"skos:altLabel": "TGS Ticket"
},
{
"@id": "d3f:Reference-ReferenceNullification_SecureSoftwareInc",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf"
},
"d3f:kb-organization": "Secure Software, Inc.",
"d3f:kb-reference-of": {
"@id": "d3f:ReferenceNullification"
},
"d3f:kb-reference-title": "The CLASP Application Security Process",
"rdfs:label": "Reference - Reference Nullification"
},
{
"@id": "d3f:CWE-756",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-756",
"d3f:definition": "The product does not return custom error pages to the user, possibly exposing sensitive information.",
"rdfs:label": "Missing Custom Error Page",
"rdfs:subClassOf": {
"@id": "d3f:CWE-755"
}
},
{
"@id": "d3f:NetworkConnectionRefuseEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a network connection is refused.",
"rdfs:label": "Network Connection Refuse Event",
"rdfs:subClassOf": {
"@id": "d3f:NetworkConnectionEvent"
}
},
{
"@id": "d3f:DirectPhysicalLinkMapping",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DirectPhysicalLinkMapping"
],
"d3f:d3fend-id": "D3-DPLM",
"d3f:definition": "Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links.",
"d3f:kb-article": "## How it works\n\nDirect Physical Link Mapping involves a manual process where a network engineer or administrator physically observes and documents the physical connections within the network infrastructure.\n\n## Considerations\n\n* Constructing and maintaining physical topologies for extensive networks can be challenging and time-consuming using manual methods. Therefore, where feasible, automated methods like active physical link mapping should be considered as a partial or complete solution for physical link mapping processes.\n\n* In scenarios where active physical link mapping is not an option, physical inspection of networks is necessary to accomplish physical link mapping. This is due to the lack of reliable techniques to accurately map physical links solely through passive network traffic monitoring.",
"d3f:kb-reference": {
"@id": "d3f:Reference-NetworkMapping"
},
"d3f:synonym": "Manual Physical Link Mapping",
"rdfs:label": "Direct Physical Link Mapping",
"rdfs:seeAlso": {
"@id": "https://en.wikipedia.org/wiki/Transmission_medium"
},
"rdfs:subClassOf": {
"@id": "d3f:PhysicalLinkMapping"
}
},
{
"@id": "d3f:ResamplingEnsemble",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-RE",
"d3f:definition": "In the method, the small classes are oversampled and large classes are undersampled. The resampling scale is determined by the ratio of the min class number and max class number. And multiple machine learning methods are selected to construct the ensemble",
"d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nTorgo, L. (2014). A resampling ensemble algorithm for improved accuracy. *Neurocomputing*, 134, 55-66. [Link](https://www.sciencedirect.com/science/article/pii/S0925231214007644#:~:text=A%20resampling%20ensemble%20algorithm%20is,and%20undersampling%20are%20empirically%20analyzed).",
"rdfs:label": "Resampling Ensemble",
"rdfs:subClassOf": {
"@id": "d3f:EnsembleLearning"
}
},
{
"@id": "d3f:CWE-773",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-773",
"d3f:definition": "The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.",
"rdfs:label": "Missing Reference to Active File Descriptor or Handle",
"rdfs:subClassOf": {
"@id": "d3f:CWE-771"
}
},
{
"@id": "d3f:T1546.011",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1546.011",
"d3f:creates": {
"@id": "d3f:Shim"
},
"d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)",
"d3f:modifies": {
"@id": "d3f:ShimDatabase"
},
"rdfs:label": "Application Shimming",
"rdfs:subClassOf": [
{
"@id": "d3f:T1546"
},
{
"@id": "_:N22ba19ecca5e41358ea29b2806fe3275"
},
{
"@id": "_:N82c2f8ea15d2489fbdb6ab68a0b59774"
}
]
},
{
"@id": "_:N22ba19ecca5e41358ea29b2806fe3275",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:Shim"
}
},
{
"@id": "_:N82c2f8ea15d2489fbdb6ab68a0b59774",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ShimDatabase"
}
},
{
"@id": "d3f:CWE-1233",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1233",
"d3f:definition": "The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.",
"rdfs:label": "Security-Sensitive Hardware Controls with Missing Lock Bit Protection",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-284"
},
{
"@id": "d3f:CWE-667"
}
]
},
{
"@id": "d3f:OffensiveTechnique",
"@type": "owl:Class",
"d3f:display-baseurl": "/offensive-technique/attack/",
"rdfs:isDefinedBy": {
"@id": "https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf"
},
"rdfs:label": "Offensive Technique",
"rdfs:subClassOf": [
{
"@id": "d3f:CyberTechnique"
},
{
"@id": "_:N9bb24be97c6147838352a1033ced68a1"
},
{
"@id": "_:N3fd2c2d98b1d414fbdf7f125f81091e0"
}
]
},
{
"@id": "_:N9bb24be97c6147838352a1033ced68a1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:OffensiveTactic"
}
},
{
"@id": "_:N3fd2c2d98b1d414fbdf7f125f81091e0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:initiates"
},
"owl:someValuesFrom": {
"@id": "d3f:Access"
}
},
{
"@id": "d3f:M1046",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:BootloaderAuthentication"
},
{
"@id": "d3f:TPMBootIntegrity"
}
],
"rdfs:label": "Boot Integrity"
},
{
"@id": "d3f:ReconnaissanceTechnique",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:enables": {
"@id": "d3f:TA0043"
},
"rdfs:label": "Reconnaissance Technique",
"rdfs:subClassOf": [
{
"@id": "d3f:ATTACKEnterpriseTechnique"
},
{
"@id": "d3f:OffensiveTechnique"
},
{
"@id": "_:N5ed45a1627374088a27ed5738b3f701d"
}
]
},
{
"@id": "_:N5ed45a1627374088a27ed5738b3f701d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:TA0043"
}
},
{
"@id": "d3f:DeveloperApplication",
"@type": "owl:Class",
"d3f:definition": "An application used to develop computer software including applications used for software construction, analysis, testing, packaging, or management.",
"rdfs:label": "Developer Application",
"rdfs:seeAlso": [
{
"@id": "dbr:Application_development"
},
{
"@id": "dbr:Application_software"
}
],
"rdfs:subClassOf": {
"@id": "d3f:UserApplication"
}
},
{
"@id": "d3f:CWE-1121",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1121",
"d3f:definition": "The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.",
"rdfs:label": "Excessive McCabe Cyclomatic Complexity",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1120"
}
},
{
"@id": "d3f:T1113",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1113",
"d3f:definition": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)",
"d3f:may-access": {
"@id": "d3f:DisplayServer"
},
"d3f:may-invoke": {
"@id": "d3f:GetScreenCapture"
},
"rdfs:label": "Screen Capture",
"rdfs:subClassOf": [
{
"@id": "d3f:CollectionTechnique"
},
{
"@id": "_:N44218e35fcfd4fe38ec7d696cbf2424c"
},
{
"@id": "_:N97a6a6d71d774666bc61f490c3b87fcf"
}
]
},
{
"@id": "_:N44218e35fcfd4fe38ec7d696cbf2424c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-access"
},
"owl:someValuesFrom": {
"@id": "d3f:DisplayServer"
}
},
{
"@id": "_:N97a6a6d71d774666bc61f490c3b87fcf",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:GetScreenCapture"
}
},
{
"@id": "d3f:CWE-1096",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1096",
"d3f:definition": "The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.",
"rdfs:label": "Singleton Class Instance Creation without Proper Locking or Synchronization",
"rdfs:subClassOf": {
"@id": "d3f:CWE-820"
}
},
{
"@id": "d3f:controls",
"@type": "owl:ObjectProperty",
"d3f:definition": "x controls y: x directs or regulates y's operational state, behavior, or function.",
"rdfs:label": "controls",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:T1566.004",
"@type": "owl:Class",
"d3f:attack-id": "T1566.004",
"d3f:definition": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.",
"rdfs:label": "Spearphishing Voice",
"rdfs:subClassOf": {
"@id": "d3f:T1566"
}
},
{
"@id": "d3f:MemoryAddressSpace",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:MemoryAddress"
},
"d3f:definition": "A memory address space is a space containing memory addresses.",
"rdfs:label": "Memory Address Space",
"rdfs:subClassOf": [
{
"@id": "d3f:AddressSpace"
},
{
"@id": "_:N8180ec3f1ff748adacef9bcf6ad8fd53"
}
]
},
{
"@id": "_:N8180ec3f1ff748adacef9bcf6ad8fd53",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryAddress"
}
},
{
"@id": "d3f:Reference-MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US5502815A"
},
"d3f:kb-abstract": "The method and apparatus for increasing the speed at which computer viruses are detected stores initial state information concerning the file or volume which is being examined for a virus. This information is stored in a cache in a non-volatile storage medium and when files are subsequently scanned for viruses, the current state information is compared to the initial state information stored in the cache. If the initial state information differs from the current state information then the file or volume is scanned for viruses which change the state information of the file or volume. If the initial state information and current state information is the same then the file or volume is scanned for a subset of viruses which do not change the state information.",
"d3f:kb-author": "Paul D. Cozza",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "McAfee LLC",
"d3f:kb-reference-of": {
"@id": "d3f:ExecutableDenylisting"
},
"d3f:kb-reference-title": "Method and apparatus for increasing the speed at which computer viruses are detected",
"rdfs:label": "Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLC"
},
{
"@id": "d3f:T1078.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1078.003",
"d3f:definition": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.",
"d3f:uses": {
"@id": "d3f:LocalUserAccount"
},
"rdfs:label": "Local Accounts",
"rdfs:subClassOf": [
{
"@id": "d3f:T1078"
},
{
"@id": "_:N9ab757b755bd4233836da6865a0365cb"
}
]
},
{
"@id": "_:N9ab757b755bd4233836da6865a0365cb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:uses"
},
"owl:someValuesFrom": {
"@id": "d3f:LocalUserAccount"
}
},
{
"@id": "d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US8045488B2"
},
"d3f:kb-abstract": "Spanning Tree Protocol (STP) data is obtained via network switch (SNMP) queries to enhance identification of switch-to-switch links in Layer-2 mapping. In particular, by analyzing the STP data, ambiguity in determining switch uplink ports may be reduced. Specifically, the STP data can be used in conjunction with other topography data to provide Layer-2 connectivity for nodes on a network topology. Layer-2 address mapping tables are collected from a topology mapping, and STP data is collected, along with address translation tables (ARP) tables. Using this information, switches are identified using Layer-2 address tables. The STP data can be correlated by comparing data in switches, identifying switch ports directly connected to other switch ports, and eliminating direct switch-to-switch port connections from consideration for further Layer-2 node mappings.",
"d3f:kb-author": "Michael Jon Swan",
"d3f:kb-organization": "SolarWinds Worldwide LLC",
"d3f:kb-reference-of": {
"@id": "d3f:ActivePhysicalLinkMapping"
},
"d3f:kb-reference-title": "Using spanning tree protocol (STP) to enhance layer-2 topology maps",
"rdfs:label": "Reference - Using spanning tree protocol (STP) to enhance layer-2 topology maps"
},
{
"@id": "d3f:T1218.013",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1218.013",
"d3f:definition": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)",
"d3f:invokes": {
"@id": "d3f:CreateThread"
},
"d3f:modifies": {
"@id": "d3f:ProcessSegment"
},
"rdfs:label": "Mavinject",
"rdfs:seeAlso": {
"@id": "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e"
},
"rdfs:subClassOf": [
{
"@id": "d3f:T1218"
},
{
"@id": "_:Nc1a773fa06d74b1aba8a4161b2949af5"
},
{
"@id": "_:N0ce64b3c8b454316afcef01dc8a9f887"
}
]
},
{
"@id": "_:Nc1a773fa06d74b1aba8a4161b2949af5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateThread"
}
},
{
"@id": "_:N0ce64b3c8b454316afcef01dc8a9f887",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessSegment"
}
},
{
"@id": "d3f:SubspaceClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SC",
"d3f:definition": "Subspace clustering is an extension of traditional clustering that seeks to find clusters in different subspaces within a dataset.",
"d3f:kb-article": "## References\nParsons, L., Haque, E., & Liu, H. (2004). Subspace Clustering for High Dimensional Data: A Review. [Link](https://www.kdd.org/exploration_files/parsons.pdf)",
"rdfs:label": "Subspace Clustering",
"rdfs:subClassOf": {
"@id": "d3f:CorrelationClustering"
}
},
{
"@id": "d3f:WindowsNtProtectVirtualMemory",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"rdfs:label": "Windows NtProtectVirtualMemory",
"rdfs:seeAlso": {
"@id": "https://www.delphibasics.info/home/delphibasicssnippets/nativewriteprocessmemoryapireplacement"
},
"rdfs:subClassOf": {
"@id": "d3f:OSAPIAllocateMemory"
}
},
{
"@id": "d3f:BayesianHypothesisTesting",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BHT",
"d3f:definition": "Bayesian hypothesis testing can be framed as a special case of model comparison where a model refers to a likelihood function and a prior distribution.",
"d3f:kb-article": "## How it works\nGiven two competing hypotheses and some relevant data, Bayesian hypothesis testing begins by specifying separate prior distributions to quantitatively describe each hypothesis. The combination of the likelihood function for the observed data with each of the prior distributions yields hypothesis-specific models. For each of the hypothesis-specific models, averaging (ie, integrating) the likelihood with respect to the prior distribution across the entire parameter space yields the probability of the data under the model and, therefore, the corresponding hypothesis. This quantity is more commonly referred to as the marginal likelihood and represents the average fit of the model to the data. The ratio of the marginal likelihoods for both hypothesis-specific models is known as the Bayes factor.\n\n## References\nBaig, S. A., PhD. (2020). Bayesian Inference: An Introduction to Hypothesis Testing Using Bayes Factors. Nicotine & Tobacco Research, 22(7), 1244-1246. [Link](https://academic.oup.com/ntr/article/22/7/1244/5613971)",
"rdfs:label": "Bayesian Hypothesis Testing",
"rdfs:subClassOf": {
"@id": "d3f:BayesianMethod"
}
},
{
"@id": "d3f:T1132.002",
"@type": "owl:Class",
"d3f:attack-id": "T1132.002",
"d3f:definition": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)",
"rdfs:label": "Non-Standard Encoding",
"rdfs:subClassOf": {
"@id": "d3f:T1132"
}
},
{
"@id": "d3f:Distribution-basedClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DBC",
"d3f:definition": "Distribution-based clustering creates and groups data points based on their likely hood of belonging to the same probability distribution (Gaussian, Binomial, etc.) in the data.",
"d3f:kb-article": "## References\nAnalytixLabs. (n.d.). Types of Clustering Algorithms. [Link](https://www.analytixlabs.co.in/blog/types-of-clustering-algorithms/#:~:text=Distribution-Based)",
"rdfs:label": "Distribution-based Clustering",
"rdfs:subClassOf": {
"@id": "d3f:ClusterAnalysis"
}
},
{
"@id": "d3f:CWE-359",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-359",
"d3f:definition": "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.",
"d3f:synonym": [
"Privacy leak",
"Privacy leakage",
"Privacy violation"
],
"rdfs:label": "Exposure of Private Personal Information to an Unauthorized Actor",
"rdfs:subClassOf": {
"@id": "d3f:CWE-200"
}
},
{
"@id": "d3f:T1056.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1056.003",
"d3f:definition": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.",
"d3f:modifies": {
"@id": "d3f:WebServerApplication"
},
"rdfs:label": "Web Portal Capture",
"rdfs:subClassOf": [
{
"@id": "d3f:T1056"
},
{
"@id": "_:Na171f7b58c194ebf926557c2729966fd"
}
]
},
{
"@id": "_:Na171f7b58c194ebf926557c2729966fd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:WebServerApplication"
}
},
{
"@id": "d3f:Reference-TypeSystems_Princeton",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.cs.princeton.edu/courses/archive/fall98/cs441/mainus/node4.html"
},
"d3f:kb-organization": "Princeton University",
"d3f:kb-reference-of": {
"@id": "d3f:VariableTypeValidation"
},
"d3f:kb-reference-title": "Why type checking?",
"rdfs:label": "Reference - Type Systems"
},
{
"@id": "d3f:InboundInternetEncryptedTraffic",
"@type": "owl:Class",
"d3f:definition": "Inbound internet encrypted traffic is encrypted network traffic on an incoming connection initiated from a host outside the network to a host within a network .",
"rdfs:label": "Inbound Internet Encrypted Traffic",
"rdfs:subClassOf": {
"@id": "d3f:InboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:T1070.007",
"@type": "owl:Class",
"d3f:attack-id": "T1070.007",
"d3f:definition": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.",
"rdfs:label": "Clear Network Connection History and Configurations",
"rdfs:subClassOf": {
"@id": "d3f:T1070"
}
},
{
"@id": "d3f:LinuxPauseProcess",
"@type": "owl:Class",
"d3f:definition": "Causes the calling process to sleep until a signal is delivered that either terminates the process or causes the invocation of a signal-catching function.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/pause.2.html"
},
"rdfs:label": "Linux Pause Process",
"rdfs:subClassOf": {
"@id": "d3f:OSAPISuspendProcess"
}
},
{
"@id": "d3f:CWE-1335",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1335",
"d3f:definition": "An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.",
"rdfs:label": "Incorrect Bitwise Shift of Integer",
"rdfs:subClassOf": {
"@id": "d3f:CWE-682"
}
},
{
"@id": "d3f:T1206",
"@type": "owl:Class",
"d3f:attack-id": "T1206",
"d3f:definition": "The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\" (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout that is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1548.003",
"rdfs:label": "Sudo Caching",
"rdfs:seeAlso": "T1548.003",
"rdfs:subClassOf": {
"@id": "d3f:PrivilegeEscalationTechnique"
}
},
{
"@id": "d3f:DecoyNetworkResource",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:DecoyNetworkResource"
],
"d3f:d3fend-id": "D3-DNR",
"d3f:definition": "Deploying a network resource for the purposes of deceiving an adversary.",
"d3f:kb-article": "## How it works\nDecoy network resources are deployed to web application servers, network file shares, or other network based sharing services.\n\nA \"honeypot\" may serve a variety of decoy network resources.\n\n## Considerations\n\n* Developing a deployment and placement strategy for the decoy network resource.\n* Personnel responsible for creation of decoy networks should consider the potential for resource exhaustion through denial of service attacks.\n\n## Examples\n* Honeypots are typically used to mimic a known system with fake vulnerabilities. This may attract attackers to the honeypot.\n* Decoy accounts are also used to scan for attempted logins. The decoy accounts can provide security analysts with the attacker's potential intents and strategies.\n* Tarpits are used to monitor unallocated IP space for unauthorized network activity.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd"
},
{
"@id": "d3f:Reference-Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc"
},
{
"@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc"
},
{
"@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc"
}
],
"d3f:spoofs": {
"@id": "d3f:NetworkResource"
},
"rdfs:label": "Decoy Network Resource",
"rdfs:subClassOf": [
{
"@id": "d3f:DecoyObject"
},
{
"@id": "_:N3abef9ff594f439285e40348541f704d"
}
]
},
{
"@id": "_:N3abef9ff594f439285e40348541f704d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:spoofs"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkResource"
}
},
{
"@id": "d3f:DS0029",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
"d3f:exactly": {
"@id": "d3f:NetworkTraffic"
},
"rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Network Traffic Content component",
"rdfs:label": "Network Traffic (ATT&CK DS)"
},
{
"@id": "d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://web.inf.ufpr.br/mazalves/wp-content/uploads/sites/13/2021/03/memsys2020.pdf"
},
"d3f:kb-abstract": "Fileless malware are recent threats to computer systems that load directly into memory, and whose aim is to prevent anti-viruses (AVs) from successfully matching byte patterns against suspicious files written on disk. Their detection requires that software-based AVs continuously scan memory, which is expensive due to repeated locks and polls. However, research advances introduced near-memory and in-memory processing, which allow memory controllers to trigger basic computations without moving data to the CPU. In this paper, we address AVs performance overhead by moving them to the hardware, i.e., we propose instrumenting processors’ memory controller or smart memories (near- and in-memory malware detection, respectively) to accelerate memory scanning procedures. To do so, we present MINI-ME, the Malware Identification based on Near- and In-Memory Evaluation mechanism, a hardware-based AV accelerator that interrupts the program’s execution if malicious patterns are discovered in their memory. We prototyped MINI-ME in a simulator and tested it with a set of 21 thousand in-the-wild malware samples, which resulted in multiple signatures matching with less than 1% of performance overhead and rates of 100% detection, and zero false-positives and false-negatives.",
"d3f:kb-author": "Marcus Botacin, André Grégio, Marco Antonio Zanata Alves",
"d3f:kb-reference-of": {
"@id": "d3f:HostShutdown"
},
"d3f:kb-reference-title": "Near-Memory & In-Memory Detection of Fileless Malware",
"rdfs:label": "Reference - Near-Memory & In-Memory Detection of Fileless Malware"
},
{
"@id": "d3f:T1195",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1195",
"d3f:definition": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.",
"d3f:modifies": {
"@id": "d3f:DigitalArtifact"
},
"rdfs:label": "Supply Chain Compromise",
"rdfs:subClassOf": [
{
"@id": "d3f:InitialAccessTechnique"
},
{
"@id": "_:Nadf9e8dfeba5474f8d624022be2b576d"
}
]
},
{
"@id": "_:Nadf9e8dfeba5474f8d624022be2b576d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:DigitalArtifact"
}
},
{
"@id": "d3f:T1608",
"@type": "owl:Class",
"d3f:attack-id": "T1608",
"d3f:definition": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)",
"rdfs:label": "Stage Capabilities",
"rdfs:subClassOf": {
"@id": "d3f:ResourceDevelopmentTechnique"
}
},
{
"@id": "d3f:NetworkMediaStreamingResource",
"@type": "owl:Class",
"d3f:definition": "A server that provides digital media content to users.",
"rdfs:label": "Network Media Streaming Resource",
"rdfs:subClassOf": {
"@id": "d3f:NetworkResource"
}
},
{
"@id": "d3f:FileSystemLink",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A file system link associates a name with a file on a file system. Most generally, this may be a direct reference (a hard link) or an indirect one (a soft link).",
"rdfs:isDefinedBy": {
"@id": "dbr:Hard_link"
},
"rdfs:label": "File System Link",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
}
},
{
"@id": "d3f:d3fend-object-property",
"@type": "owl:ObjectProperty",
"rdfs:label": "d3fend-object-property"
},
{
"@id": "d3f:T1572",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1572",
"d3f:definition": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.",
"d3f:produces": {
"@id": "d3f:OutboundInternetNetworkTraffic"
},
"rdfs:label": "Protocol Tunneling",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:N0e5835ff6490494a8d3a88e785ead6f3"
}
]
},
{
"@id": "_:N0e5835ff6490494a8d3a88e785ead6f3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:CWE-1289",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1289",
"d3f:definition": "The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.",
"rdfs:label": "Improper Validation of Unsafe Equivalence in Input",
"rdfs:subClassOf": {
"@id": "d3f:CWE-20"
}
},
{
"@id": "d3f:Reference-DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://web.archive.org/web/20180407204216/https://isc.sans.edu/diary/Decoy+Personas+for+Safeguarding+Online+Identity+Using+Deception/16159"
},
"d3f:kb-abstract": "What if online scammers weren't sure whether the user account they are targeting is really yours, or whether the information they compiled about you is real? It's worth considering whether decoy online personas might help in the quest to safeguard our digital identities and data.\n\nI believe deception tactics, such as selective and careful use of honeypots, holds promise for defending enterprise IT resources. Some forms of deception could also protect individuals against online scammers and other attackers. This approach might not be quite practical today for most people, but in the future we might find it both necessary and achievable.\n\nHuman attackers and malicious software pursue user accounts and data on-line through harvesting, phishing, password-guessing, software vulnerabilities, and various other means. How might we use decoys to confuse, misdirect, slow down and detect adversaries engaged in such activities?\n\n...\n\nThe wealth of personal details available on social networking sites allows attackers to target individuals using social engineering, secret question-guessing and other techniques. For some examples of such approaches, see The Use of Fake or Fraudulent LinkedIn Profiles and Data Mining Resumes for Computer Attack Reconnaissance.\n\nSetting up one or more fake social network profiles (e.g., on Facebook) that use the person's real name can help the individual deflect the attack or can act as an early warning of an impending attack. A decoy profile could purposefully expose some inaccurate information, while the person's real profile would be more carefully concealed using the site's privacy settings. Decoy profiles would be associated with spamtrap email addresses.\n\nSimilarly, the person could expose decoy profiles on other sites, for instance those reveal shopping habits (e.g., Amazon), musings (e.g., Twitter), skills (e.g., GitHub), travel (e.g., TripIt), affections (e.g., Pinterest), music taste (e.g., Pandora) and so on. The person's decoy identities could also have fake resumes available on sites such as Indeed and Monster.com.",
"d3f:kb-author": "Lenny Zeltser",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "SANS",
"d3f:kb-reference-of": {
"@id": "d3f:DecoyPersona"
},
"d3f:kb-reference-title": "Decoy Personas for Safeguarding Online Identity Using Deception",
"rdfs:label": "Reference - Decoy Personas for Safeguarding Online Identity Using Deception - MITRE"
},
{
"@id": "d3f:UtilitySoftware",
"@type": "owl:Class",
"d3f:definition": "Utility applications are software applications designed to help to analyze, configure, optimize or maintain a computer. It is used to support the computer infrastructure - in contrast to application software, which is aimed at directly performing tasks that benefit ordinary users. However, utilities often form part of the application systems. For example, a batch job may run user-written code to update a database and may then include a step that runs a utility to back up the database, or a job may run a utility to compress a disk before copying files.",
"rdfs:isDefinedBy": {
"@id": "dbr:Utility_software"
},
"rdfs:label": "Utility Software",
"rdfs:subClassOf": {
"@id": "d3f:Software"
},
"skos:altLabel": "Utility Application"
},
{
"@id": "d3f:CCI-000060_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:AccountLocking"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-19T00:00:00"
},
"rdfs:label": "CCI-000060"
},
{
"@id": "d3f:T1110.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:Password"
},
"d3f:attack-id": "T1110.002",
"d3f:definition": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)",
"rdfs:label": "Password Cracking",
"rdfs:subClassOf": [
{
"@id": "d3f:T1110"
},
{
"@id": "_:N7281a9d28e594607b2b5851c6f74790b"
}
]
},
{
"@id": "_:N7281a9d28e594607b2b5851c6f74790b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:Password"
}
},
{
"@id": "d3f:CCI-000766_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements multifactor authentication for network access to non-privileged accounts.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:Multi-factorAuthentication"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-17T00:00:00"
},
"rdfs:label": "CCI-000766"
},
{
"@id": "d3f:T1055.011",
"@type": "owl:Class",
"d3f:attack-id": "T1055.011",
"d3f:definition": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
"rdfs:label": "Extra Window Memory Injection",
"rdfs:subClassOf": {
"@id": "d3f:T1055"
}
},
{
"@id": "d3f:CCI-002262_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002262"
},
{
"@id": "d3f:Reference-PublicKeyPinningExtensionForHTTP",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://datatracker.ietf.org/doc/html/rfc7469"
},
"d3f:kb-abstract": "RFC 7469 describes an HTTP extension that allows web host operators to instruct user agents to remember ('pin') the hosts' cryptographic identities over a period of time. This decreases the risk of MITM attacks due to compromised Certificate Authorities.",
"d3f:kb-author": "C. Evans, C. Palmer, R. Sleevi",
"d3f:kb-organization": "Internet Engineering Task Force (IETF)",
"d3f:kb-reference-of": {
"@id": "d3f:CertificatePinning"
},
"d3f:kb-reference-title": "Public Key Pinning Extension for HTTP",
"rdfs:label": "Reference - Public Key Pinning Extension for HTTP"
},
{
"@id": "d3f:JobSchedulerSoftware",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:creates": {
"@id": "d3f:ScheduledJob"
},
"d3f:definition": "A job scheduler software is operating system software that when run executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking). Processes running such software are task scheduler processes. In Windows, Scheduled Tasks are created and managed by the Task Scheduler. In Unix-like OSes, the `cron` utitility serves a similar role.",
"d3f:modifies": [
{
"@id": "d3f:JobSchedule"
},
{
"@id": "d3f:ScheduledJob"
}
],
"d3f:synonym": "Task Scheduler Software",
"rdfs:label": "Job Scheduler Software",
"rdfs:seeAlso": [
{
"@id": "d3f:ScheduledJob"
},
{
"@id": "dbr:Cron"
},
{
"@id": "dbr:Windows_Task_Scheduler"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SystemServiceSoftware"
},
{
"@id": "_:Ndf37353ae7174a759de8c468a76b0e6a"
},
{
"@id": "_:N6fcbc867ff324828af764ec7f7dbddc8"
},
{
"@id": "_:Nd2e4b23411164d59ae902b0235a09738"
}
]
},
{
"@id": "_:Ndf37353ae7174a759de8c468a76b0e6a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:ScheduledJob"
}
},
{
"@id": "_:N6fcbc867ff324828af764ec7f7dbddc8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:JobSchedule"
}
},
{
"@id": "_:Nd2e4b23411164d59ae902b0235a09738",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ScheduledJob"
}
},
{
"@id": "d3f:CWE-618",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-618",
"d3f:definition": "An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).",
"rdfs:label": "Exposed Unsafe ActiveX Method",
"rdfs:subClassOf": {
"@id": "d3f:CWE-749"
}
},
{
"@id": "d3f:ContainerOrchestrationSoftware",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A d3f:Software which manages and coordinates running one or more d3f:ContainerProcess.",
"rdfs:label": "Container Orchestration Software",
"rdfs:subClassOf": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-4",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": {
"@id": "d3f:OperatingSystemMonitoring"
},
"d3f:control-name": "System Monitoring",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "SI-4"
},
{
"@id": "d3f:T1038",
"@type": "owl:Class",
"d3f:attack-id": "T1038",
"d3f:definition": "Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1574.001",
"rdfs:label": "DLL Search Order Hijacking",
"rdfs:seeAlso": "T1574.001",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:Reference-IdentificationAndExtractionOfKeyForensicsIndicatorsOfCompromiseUsingSubject-specificFilesystemViews",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20200004962A1/en"
},
"d3f:kb-abstract": "A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity-i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.",
"d3f:kb-author": "Frederico Araujo; Anne E. Kohlbrenner; Marc Philippe Stoecklin; Teryl Paul Taylor",
"d3f:kb-reference-title": "Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views",
"rdfs:label": "Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views"
},
{
"@id": "d3f:RemovableMediaDevice",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A removable media device is a hardware device used for computer storage and that is designed to be inserted and removed from the system. It is distinct from other removable media in that all the hardware required to read the data are built into the device. So USB flash drives and external hard drives are removable media devices, whereas tapes and disks are not, as they require additional hardware to perform read/write operations.",
"rdfs:label": "Removable Media Device",
"rdfs:seeAlso": {
"@id": "dbr:Removable_media"
},
"rdfs:subClassOf": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:CCI-002468_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:DNSTrafficAnalysis"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002468"
},
{
"@id": "skos:altLabel",
"@type": "owl:AnnotationProperty"
},
{
"@id": "d3f:T1552.007",
"@type": "owl:Class",
"d3f:attack-id": "T1552.007",
"d3f:definition": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)",
"rdfs:label": "Container API",
"rdfs:subClassOf": {
"@id": "d3f:T1552"
}
},
{
"@id": "d3f:T1036.008",
"@type": "owl:Class",
"d3f:attack-id": "T1036.008",
"d3f:definition": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.",
"rdfs:label": "Masquerade File Type",
"rdfs:subClassOf": {
"@id": "d3f:T1036"
}
},
{
"@id": "d3f:T1055.014",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:SharedLibraryFile"
},
"d3f:attack-id": "T1055.014",
"d3f:definition": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.",
"d3f:invokes": {
"@id": "d3f:SystemCall"
},
"rdfs:label": "VDSO Hijacking",
"rdfs:subClassOf": [
{
"@id": "d3f:T1055"
},
{
"@id": "_:Ncbce8fd5700344728e897b43fee30277"
},
{
"@id": "_:N12352f3d6d034f5f8a663f9a9541f63d"
}
]
},
{
"@id": "_:Ncbce8fd5700344728e897b43fee30277",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "_:N12352f3d6d034f5f8a663f9a9541f63d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemCall"
}
},
{
"@id": "d3f:KernelModuleEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving the management of kernel modules, such as the loading or unloading of device drivers, extensions, or other dynamically linked components essential for kernel functionality.",
"rdfs:label": "Kernel Module Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/kernel_extension"
},
"rdfs:subClassOf": [
{
"@id": "d3f:KernelEvent"
},
{
"@id": "_:Nbaff062a309d45aeba3c215e33884f08"
},
{
"@id": "_:Nf667e3989cf9451fb2689f547125ebe1"
}
]
},
{
"@id": "_:Nbaff062a309d45aeba3c215e33884f08",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDriver"
}
},
{
"@id": "_:Nf667e3989cf9451fb2689f547125ebe1",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:KernelModule"
}
},
{
"@id": "d3f:T1137.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:adds": {
"@id": "d3f:OfficeApplicationFile"
},
"d3f:attack-id": "T1137.003",
"d3f:definition": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)",
"rdfs:label": "Outlook Forms",
"rdfs:subClassOf": [
{
"@id": "d3f:T1137"
},
{
"@id": "_:N2c85af3df32f4c82ad08fe7f2f6e8db6"
}
]
},
{
"@id": "_:N2c85af3df32f4c82ad08fe7f2f6e8db6",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:adds"
},
"owl:someValuesFrom": {
"@id": "d3f:OfficeApplicationFile"
}
},
{
"@id": "d3f:GeometricMean",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-GM",
"d3f:definition": "The nth root of the product of the data values, where there are n of these. This measure is valid only for data that are measured absolutely on a strictly positive scale.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
"rdfs:label": "Geometric Mean",
"rdfs:subClassOf": {
"@id": "d3f:CentralTendency"
}
},
{
"@id": "d3f:CCI-001424_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-25T00:00:00"
},
"rdfs:label": "CCI-001424"
},
{
"@id": "d3f:DS0035",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet",
"rdfs:comment": "This data source currently has no mappings to digital artifacts.",
"rdfs:label": "Internet Scan (ATT&CK DS)"
},
{
"@id": "d3f:CWE-1281",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1281",
"d3f:definition": "Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.",
"rdfs:label": "Sequence of Processor Instructions Leads to Unexpected Behavior",
"rdfs:subClassOf": {
"@id": "d3f:CWE-691"
}
},
{
"@id": "d3f:AuthenticateUser",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:authenticates": {
"@id": "d3f:UserAccount"
},
"rdfs:label": "Authenticate User",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Na6491339eb794e38a4b40e9d7d70ac26"
}
]
},
{
"@id": "_:Na6491339eb794e38a4b40e9d7d70ac26",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:authenticates"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:CWE-455",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-455",
"d3f:definition": "The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.",
"rdfs:label": "Non-exit on Failed Initialization",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-636"
},
{
"@id": "d3f:CWE-665"
},
{
"@id": "d3f:CWE-705"
}
]
},
{
"@id": "d3f:UserInterface",
"@type": "owl:Class",
"d3f:definition": "The user interface (UI), in the industrial design field of human-machine interaction, is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine from the human end, whilst the machine simultaneously feeds back information that aids the operators' decision-making process. Examples of this broad concept of user interfaces include the interactive aspects of computer operating systems, hand tools, heavy machinery operator controls, and process controls. The design considerations applicable when creating user interfaces are related to or involve such disciplines as ergonomics and psychology.",
"rdfs:isDefinedBy": {
"@id": "dbr:User_interface"
},
"rdfs:label": "User Interface",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
},
"skos:altLabel": "UI"
},
{
"@id": "d3f:T1090",
"@type": "owl:Class",
"d3f:attack-id": "T1090",
"d3f:definition": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.",
"rdfs:label": "Proxy",
"rdfs:subClassOf": {
"@id": "d3f:CommandAndControlTechnique"
}
},
{
"@id": "d3f:CCI-002309_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:SystemConfigurationPermissions"
},
{
"@id": "d3f:UserAccountPermissions"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002309"
},
{
"@id": "d3f:CWE-99",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-99",
"d3f:definition": "The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.",
"d3f:synonym": "Insecure Direct Object Reference",
"rdfs:label": "Improper Control of Resource Identifiers ('Resource Injection')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-74"
}
},
{
"@id": "d3f:created-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x created-by y: The entity x is brought into existence, developed, or generated by entity y.",
"owl:inverseOf": {
"@id": "d3f:creates"
},
"rdfs:label": "created-by",
"rdfs:subPropertyOf": [
{
"@id": "d3f:associated-with"
},
{
"@id": "d3f:may-be-created-by"
}
]
},
{
"@id": "d3f:may-access",
"@type": "owl:ObjectProperty",
"d3f:definition": "x may-access y: They entity x may access the thing y; that is, 'x accesses y' may be true.",
"owl:inverseOf": {
"@id": "d3f:may-be-accessed-by"
},
"rdfs:label": "may-access",
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:T1566",
"@type": "owl:Class",
"d3f:attack-id": "T1566",
"d3f:definition": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.",
"rdfs:label": "Phishing",
"rdfs:subClassOf": {
"@id": "d3f:InitialAccessTechnique"
}
},
{
"@id": "d3f:Simulation",
"@type": "owl:Class",
"rdfs:label": "Simulation",
"rdfs:subClassOf": {
"@id": "d3f:Generation"
}
},
{
"@id": "d3f:T1087.003",
"@type": "owl:Class",
"d3f:attack-id": "T1087.003",
"d3f:definition": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)",
"rdfs:label": "Email Account",
"rdfs:subClassOf": {
"@id": "d3f:T1087"
}
},
{
"@id": "d3f:CWE-432",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-432",
"d3f:definition": "The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.",
"rdfs:label": "Dangerous Signal Handler not Disabled During Sensitive Operations",
"rdfs:subClassOf": {
"@id": "d3f:CWE-364"
}
},
{
"@id": "d3f:T1027.010",
"@type": "owl:Class",
"d3f:attack-id": "T1027.010",
"d3f:definition": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)",
"rdfs:label": "Command Obfuscation",
"rdfs:subClassOf": {
"@id": "d3f:T1027"
}
},
{
"@id": "d3f:CWE-393",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-393",
"d3f:definition": "A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.",
"rdfs:label": "Return of Wrong Status Code",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-684"
},
{
"@id": "d3f:CWE-703"
}
]
},
{
"@id": "d3f:T1547.008",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1547.008",
"d3f:definition": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)",
"d3f:may-create": {
"@id": "d3f:SharedLibraryFile"
},
"d3f:modifies": {
"@id": "d3f:SystemServiceSoftware"
},
"rdfs:label": "LSASS Driver",
"rdfs:subClassOf": [
{
"@id": "d3f:T1547"
},
{
"@id": "_:N30e674f5996d4d25b8b56a2bd1aad387"
},
{
"@id": "_:N3452488f6bac40838aecad2f82351c8b"
}
]
},
{
"@id": "_:N30e674f5996d4d25b8b56a2bd1aad387",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:SharedLibraryFile"
}
},
{
"@id": "_:N3452488f6bac40838aecad2f82351c8b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemServiceSoftware"
}
},
{
"@id": "d3f:CWE-508",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-508",
"d3f:definition": "Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.",
"rdfs:label": "Non-Replicating Malicious Code",
"rdfs:subClassOf": {
"@id": "d3f:CWE-507"
}
},
{
"@id": "d3f:CCI-002421_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:EncryptedTunnels"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002421"
},
{
"@id": "d3f:CWE-1122",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1122",
"d3f:definition": "The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.",
"rdfs:label": "Excessive Halstead Complexity",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1120"
}
},
{
"@id": "d3f:CWE-315",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-315",
"d3f:definition": "The product stores sensitive information in cleartext in a cookie.",
"rdfs:label": "Cleartext Storage of Sensitive Information in a Cookie",
"rdfs:subClassOf": {
"@id": "d3f:CWE-312"
}
},
{
"@id": "d3f:ResourceAccessPatternAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ResourceAccessPatternAnalysis"
],
"d3f:analyzes": [
{
"@id": "d3f:Authentication"
},
{
"@id": "d3f:Authorization"
}
],
"d3f:d3fend-id": "D3-RAPA",
"d3f:definition": "Analyzing the resources accessed by a user to identify unauthorized activity.",
"d3f:kb-article": "## How it works\nThis technique analyzes a user's resource accesses by comparing the user's recent activity against a baseline activity model. Major differences between the current activity and the baseline model might indicate unauthorized activity if they are severe enough.\n\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers that move low and slow may not differentiate their resource access activity behavior enough to trigger an alert.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd"
},
{
"@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
},
{
"@id": "d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC"
},
{
"@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc"
},
{
"@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
}
],
"rdfs:label": "Resource Access Pattern Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:UserBehaviorAnalysis"
},
{
"@id": "_:Ne19d20b3ee4349eba501e8fe9f59d696"
},
{
"@id": "_:Nc4983474bc634441ab4cea089a5b416c"
}
]
},
{
"@id": "_:Ne19d20b3ee4349eba501e8fe9f59d696",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:Authentication"
}
},
{
"@id": "_:Nc4983474bc634441ab4cea089a5b416c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:Authorization"
}
},
{
"@id": "d3f:CWE-311",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-311",
"d3f:definition": "The product does not encrypt sensitive or critical information before storage or transmission.",
"rdfs:label": "Missing Encryption of Sensitive Data",
"rdfs:subClassOf": {
"@id": "d3f:CWE-693"
}
},
{
"@id": "d3f:Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-09-004/"
},
"d3f:kb-abstract": "Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-09-004: Credentials in Files & Registry",
"rdfs:label": "Reference - CAR-2020-09-004: Credentials in Files & Registry - MITRE"
},
{
"@id": "d3f:T1137",
"@type": "owl:Class",
"d3f:attack-id": "T1137",
"d3f:definition": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.",
"rdfs:label": "Office Application Startup",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:CCI-001436_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-25T00:00:00"
},
"rdfs:label": "CCI-001436"
},
{
"@id": "d3f:T1552.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:GroupPolicy"
},
"d3f:attack-id": "T1552.006",
"d3f:definition": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)",
"rdfs:label": "Group Policy Preferences",
"rdfs:subClassOf": [
{
"@id": "d3f:T1552"
},
{
"@id": "_:N3a8058272e3f46af96ad4b4493de4ab8"
}
]
},
{
"@id": "_:N3a8058272e3f46af96ad4b4493de4ab8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:GroupPolicy"
}
},
{
"@id": "d3f:T1027.011",
"@type": "owl:Class",
"d3f:attack-id": "T1027.011",
"d3f:definition": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)",
"rdfs:label": "Fileless Storage",
"rdfs:subClassOf": {
"@id": "d3f:T1027"
}
},
{
"@id": "d3f:associated-with",
"@type": "owl:ObjectProperty",
"d3f:definition": "x associated-with y: The subject x and object y are associated in some way. This is the most general definite relationship in d3fend (i.e., most general relationship that is not prefixed by 'may-'.)",
"rdfs:label": "associated-with",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/13804981-n"
},
"rdfs:subPropertyOf": {
"@id": "d3f:may-be-associated-with"
}
},
{
"@id": "d3f:CWE-410",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-410",
"d3f:definition": "The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.",
"rdfs:label": "Insufficient Resource Pool",
"rdfs:subClassOf": {
"@id": "d3f:CWE-664"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_4",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Information Flow Enforcement | Flow Control of Encrypted Information",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"rdfs:label": "AC-4(4)"
},
{
"@id": "d3f:EmbeddedComputer",
"@type": "owl:Class",
"d3f:definition": "An embedded computer is a computer system -- a combination of a computer processor, computer memory, and input/output peripheral devices-that has a dedicated function within a larger mechanical or electrical system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use today. Ninety-eight percent of all microprocessors manufactured are used in embedded systems.",
"rdfs:isDefinedBy": {
"@id": "dbr:Embedded_system"
},
"rdfs:label": "Embedded Computer",
"rdfs:subClassOf": {
"@id": "d3f:ClientComputer"
},
"skos:altLabel": "Embedded System"
},
{
"@id": "d3f:CWE-206",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-206",
"d3f:definition": "The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.",
"rdfs:label": "Observable Internal Behavioral Discrepancy",
"rdfs:subClassOf": {
"@id": "d3f:CWE-205"
}
},
{
"@id": "d3f:CCI-001858_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:SystemDaemonMonitoring"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-03-14T00:00:00"
},
"rdfs:label": "CCI-001858"
},
{
"@id": "d3f:SetThreadContext",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:modifies": {
"@id": "d3f:Thread"
},
"rdfs:label": "Set Thread Context",
"rdfs:seeAlso": {
"@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext"
},
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N474c8f1205804729882c70021ce15d80"
}
]
},
{
"@id": "_:N474c8f1205804729882c70021ce15d80",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:Thread"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-23",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Data Mining Protection",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:JobFunctionAccessPatternAnalysis"
},
{
"@id": "d3f:LocalAccountMonitoring"
},
{
"@id": "d3f:ResourceAccessPatternAnalysis"
},
{
"@id": "d3f:UserDataTransferAnalysis"
}
],
"rdfs:label": "AC-23"
},
{
"@id": "d3f:PeripheralHubFirmware",
"@type": "owl:Class",
"d3f:definition": "Firmware that is installed on peripheral hub device such as a USB or Firewire hub.",
"rdfs:label": "Peripheral Hub Firmware",
"rdfs:seeAlso": {
"@id": "dbr:USB_hub"
},
"rdfs:subClassOf": {
"@id": "d3f:PeripheralFirmware"
},
"skos:altLabel": "USB Hub Firmware"
},
{
"@id": "d3f:ReissueCredential",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ReissueCredential"
],
"d3f:d3fend-id": "D3-RIC",
"d3f:definition": "Issue a new credential to a user which supercedes their old credential.",
"d3f:kb-reference": {
"@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
},
"d3f:restores": {
"@id": "d3f:Credential"
},
"rdfs:label": "Reissue Credential",
"rdfs:subClassOf": [
{
"@id": "d3f:RestoreAccess"
},
{
"@id": "_:N88aeb62b4ec244a5894f57a77856b3c4"
}
]
},
{
"@id": "_:N88aeb62b4ec244a5894f57a77856b3c4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restores"
},
"owl:someValuesFrom": {
"@id": "d3f:Credential"
}
},
{
"@id": "d3f:RFReceiver",
"@type": "owl:Class",
"d3f:definition": "An RF Receiver captures and processes incoming radio freqency signals.",
"rdfs:label": "RF Receiver",
"rdfs:subClassOf": {
"@id": "d3f:RFNode"
}
},
{
"@id": "d3f:T1552.005",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:CloudInstanceMetadata"
},
"d3f:attack-id": "T1552.005",
"d3f:definition": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.",
"rdfs:label": "Cloud Instance Metadata API",
"rdfs:subClassOf": [
{
"@id": "d3f:T1552"
},
{
"@id": "_:N9139bb50b64549d2ada8cead7255bf90"
}
]
},
{
"@id": "_:N9139bb50b64549d2ada8cead7255bf90",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:CloudInstanceMetadata"
}
},
{
"@id": "d3f:PeripheralFirmware",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Firmware that is installed on computer peripheral devices.",
"rdfs:label": "Peripheral Firmware",
"rdfs:seeAlso": [
{
"@id": "d3f:Firmware"
},
{
"@id": "dbr:Peripheral"
}
],
"rdfs:subClassOf": {
"@id": "d3f:Firmware"
}
},
{
"@id": "d3f:M1049",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:d3fend-comment": "Process Analysis and subclasses.",
"d3f:related": [
{
"@id": "d3f:FileContentRules"
},
{
"@id": "d3f:FileHashing"
},
{
"@id": "d3f:ProcessAnalysis"
}
],
"rdfs:label": "Antivirus/Antimalware"
},
{
"@id": "d3f:CreateFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:creates": {
"@id": "d3f:File"
},
"d3f:definition": "System call to create a new file on a file system. Some operating systems implement this functionality as part of their d3f:OpenFile system call.",
"rdfs:label": "Create File",
"rdfs:seeAlso": [
{
"@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfile2"
},
{
"@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea"
},
{
"@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew"
},
{
"@id": "https://linux.die.net/man/2/creat"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N681e732383b6444f83ce0317c1540fdc"
}
]
},
{
"@id": "_:N681e732383b6444f83ce0317c1540fdc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:WebServerApplication",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A web server application (or web app) is an application software that runs on a web server, unlike computer-based software programs that are stored locally on the Operating System (OS) of the device. Web applications are accessed by the user through a web browser with an active internet connection. These applications are programmed using a client-server modeled structure-the user (\"client\") is provided services through an off-site server that is hosted by a third-party. Examples of commonly-used, web applications, include: web-mail, online retail sales, online banking, and online auctions.",
"rdfs:isDefinedBy": {
"@id": "dbr:Web_application"
},
"rdfs:label": "Web Server Application",
"rdfs:subClassOf": {
"@id": "d3f:ServiceApplication"
},
"skos:altLabel": [
"Web App",
"Web Application"
]
},
{
"@id": "d3f:FileFooterBlockContent",
"@type": "owl:Class",
"d3f:definition": "The content of a footer block not including the signature.",
"rdfs:label": "File Footer Block Content",
"rdfs:subClassOf": {
"@id": "d3f:FileMetadata"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AU-4",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Audit Log Storage Capacity",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:LocalAccountMonitoring"
},
"rdfs:label": "AU-4"
},
{
"@id": "d3f:HostShutdown",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:HostShutdown",
"d3f:ProcessTermination"
],
"d3f:d3fend-id": "D3-HS",
"d3f:definition": "Initiating a host's shutdown sequence to terminate all running processes.",
"d3f:kb-article": "## How It Works\n\nHost shutdown can either be initiated in the physical presence of the device using the power functions or remotely using the provided user interface or an installed EDR agent (with the available function). This process may allow for the removal of specific types of malware, such as fileless malware, and can also prevent further damage, for example, if the system is part of a botnet.\n\n## Considerations\n\n- If the attacker has achieved persistence techniques, this technique may not be effective\n- Compromised systems may not respond to remote commands to shutdown or reboot, requiring physical intervention.\n- Shutting down a system will usually result in the memory losing its state which can be useful in forensic activities so this should be considered when deciding to shutdown.\n- Shutting down systems may disrupt access to computer resources for legitimate users.",
"d3f:kb-reference": {
"@id": "d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware"
},
"d3f:terminates": {
"@id": "d3f:Process"
},
"rdfs:label": "Host Shutdown",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessEviction"
},
{
"@id": "_:N144554277c404a66a65aa166ba39c1cf"
}
]
},
{
"@id": "_:N144554277c404a66a65aa166ba39c1cf",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:terminates"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:d3fend-kb-object-property",
"@type": "owl:ObjectProperty",
"d3f:definition": "x d3fend-kb-object-property y: The object y is a d3fend knowledge base object property. These properties allow the linkage of knowledge and information supporting and illustrating the d3fend model.",
"rdfs:label": "d3fend-kb-object-property",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-object-property"
}
},
{
"@id": "d3f:TraceProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A trace system call provides a means by which one process (the \"tracer\") may observe and control the execution of another process (the \"tracee\"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing.",
"d3f:monitors": {
"@id": "d3f:Process"
},
"rdfs:label": "Trace Process",
"rdfs:seeAlso": [
{
"@id": "https://dbpedia.org/resource/Ptrace"
},
{
"@id": "https://linux.die.net/man/2/ptrace"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Nf8ee3b2b3c9747fda11ab79719ad359b"
}
],
"skos:altLabel": "Open Process"
},
{
"@id": "_:Nf8ee3b2b3c9747fda11ab79719ad359b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:monitors"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:PasswordDatabase",
"@type": "owl:Class",
"d3f:definition": "A password database is a database that holds passwords for user accounts and is usually encrypted (i.e.., the passwords are hashed). Password databases are found supporting system services (such as SAM) or part of user applications such as password managers.",
"rdfs:label": "Password Database",
"rdfs:subClassOf": {
"@id": "d3f:Database"
}
},
{
"@id": "d3f:CWE-833",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-833",
"d3f:definition": "The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.",
"rdfs:label": "Deadlock",
"rdfs:subClassOf": {
"@id": "d3f:CWE-667"
}
},
{
"@id": "d3f:MemoryBlock",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:contains": {
"@id": "d3f:MemoryWord"
},
"d3f:definition": "In computing (specifically data transmission and data storage), a block, sometimes called a physical record, is a sequence of bytes or bits, usually containing some whole number of records, having a maximum length; a block size. Data thus structured are said to be blocked. The process of putting data into blocks is called blocking, while deblocking is the process of extracting data from blocks. Blocked data is normally stored in a data buffer and read or written a whole block at a time.",
"d3f:may-contain": {
"@id": "d3f:Record"
},
"rdfs:isDefinedBy": {
"@id": "https://dbpedia.org/page/Block_(data_storage)"
},
"rdfs:label": "Memory Block",
"rdfs:subClassOf": [
{
"@id": "d3f:MemoryExtent"
},
{
"@id": "_:N7a833d443aae4e6f957db4fb6db79157"
},
{
"@id": "_:Nacda44736a6a4fe99ec662d55ba35114"
}
]
},
{
"@id": "_:N7a833d443aae4e6f957db4fb6db79157",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:contains"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryWord"
}
},
{
"@id": "_:Nacda44736a6a4fe99ec662d55ba35114",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:Record"
}
},
{
"@id": "d3f:T1037.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1037.002",
"d3f:definition": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)",
"d3f:modifies": {
"@id": "d3f:UserInitScript"
},
"rdfs:label": "Login Hook",
"rdfs:subClassOf": [
{
"@id": "d3f:T1037"
},
{
"@id": "_:N5f74df2163d6473aa5e8d113c5b10333"
}
]
},
{
"@id": "_:N5f74df2163d6473aa5e8d113c5b10333",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:UserInitScript"
}
},
{
"@id": "d3f:UserAccountDeletionEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the permanent deletion of a user account from a system or domain.",
"rdfs:label": "User Account Deletion Event",
"rdfs:subClassOf": [
{
"@id": "d3f:UserAccountEvent"
},
{
"@id": "_:N629f36d718634359a620db19255635ef"
}
]
},
{
"@id": "_:N629f36d718634359a620db19255635ef",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccountCreationEvent"
}
},
{
"@id": "d3f:CWE-663",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-663",
"d3f:definition": "The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.",
"rdfs:label": "Use of a Non-reentrant Function in a Concurrent Context",
"rdfs:subClassOf": {
"@id": "d3f:CWE-662"
}
},
{
"@id": "d3f:DS0016",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter",
"rdfs:comment": "This data source captures events relating to drives and therefore has no direct mappings to digital artifacts.",
"rdfs:label": "Drive (ATT&CK DS)"
},
{
"@id": "d3f:CWE-1291",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1291",
"d3f:definition": "The same public key is used for signing both debug and production code.",
"rdfs:label": "Public Key Re-Use for Signing both Debug and Production Code",
"rdfs:subClassOf": {
"@id": "d3f:CWE-693"
}
},
{
"@id": "d3f:WebFileResource",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:addressed-by": {
"@id": "d3f:URL"
},
"d3f:definition": "A web file resource is a file resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.",
"rdfs:label": "Web File Resource",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkFileResource"
},
{
"@id": "d3f:WebResource"
},
{
"@id": "_:Nb284cdea71784193aab580da8bc0c6d9"
}
]
},
{
"@id": "_:Nb284cdea71784193aab580da8bc0c6d9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:addressed-by"
},
"owl:someValuesFrom": {
"@id": "d3f:URL"
}
},
{
"@id": "d3f:T1023",
"@type": "owl:Class",
"d3f:attack-id": "T1023",
"d3f:definition": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1547.009",
"rdfs:label": "Shortcut Modification",
"rdfs:seeAlso": "T1547.009",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:StaticAnalysisTool",
"@type": "owl:Class",
"d3f:definition": "A static [program] analysis tool performs an automated analysis of computer software without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.",
"rdfs:isDefinedBy": {
"@id": "dbr:Static_program_analysis"
},
"rdfs:label": "Static Analysis Tool",
"rdfs:seeAlso": [
{
"@id": "dbr:Program_analysis"
},
{
"@id": "dbr:Category:Program_analysis"
}
],
"rdfs:subClassOf": {
"@id": "d3f:CodeAnalyzer"
},
"skos:altLabel": "Static Program Analysis Tool"
},
{
"@id": "d3f:AgentAuthentication",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:AgentAuthentication"
],
"d3f:authenticates": {
"@id": "d3f:Agent"
},
"d3f:d3fend-id": "D3-AA",
"d3f:definition": "Agent authentication is the process of verifying the identities of agents to ensure they are authorized and trustworthy participants within a system.",
"d3f:enables": {
"@id": "d3f:Harden"
},
"d3f:kb-reference": {
"@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
},
"d3f:strengthens": {
"@id": "d3f:UserAccount"
},
"rdfs:label": "Agent Authentication",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:Naaf1153d177647e9b149561ddbfd8340"
},
{
"@id": "_:N3c527065ff9946bdbc05ef8bf9a0e719"
},
{
"@id": "_:N68dec1c264ee401db68bdf6ba9f04a41"
}
]
},
{
"@id": "_:Naaf1153d177647e9b149561ddbfd8340",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:authenticates"
},
"owl:someValuesFrom": {
"@id": "d3f:Agent"
}
},
{
"@id": "_:N3c527065ff9946bdbc05ef8bf9a0e719",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Harden"
}
},
{
"@id": "_:N68dec1c264ee401db68bdf6ba9f04a41",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:strengthens"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:ActiveLogicalLinkMapping",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ActiveLogicalLinkMapping"
],
"d3f:d3fend-id": "D3-ALLM",
"d3f:definition": "Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection",
"d3f:kb-article": "## How it works\n\nActive logical link mapping establishes awareness of logical links in the network by sending data over the network to gather information about logical connections in the network.\n\nTypically this will be achieved through network telemetry coordinated for network management and monitoring and will use a link layer discovery protocol such as LLDP and the information gathered and aggregated a higher levels using an application protocol such as SNMP. The information may be polled by network management softare or configured once and then pushed from network sensors (or agents.)\n\nAnother means of establishing network connectivity is by means of sendingn traffic through the use of a tool such as traceroute, to determine the logical paths through the network architecture.\n\n## Considerations\n\n* Best practice is to encrypte network monitoring data and require authentication for queries or admin/management functions.\n* Push notifications reduce bandwidth necessary to capture and maintain information if reliable transport is used.\n* Special consideration should be made before using of active scanning in OT networks and OT-safe options chosen where available.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices"
},
{
"@id": "d3f:Reference-SNMPNetworkAutoDiscovery"
}
],
"d3f:may-query": {
"@id": "d3f:NetworkAgent"
},
"rdfs:label": "Active Logical Link Mapping",
"rdfs:subClassOf": [
{
"@id": "d3f:LogicalLinkMapping"
},
{
"@id": "_:N09477babd27240e88ab227b09fe69547"
}
]
},
{
"@id": "_:N09477babd27240e88ab227b09fe69547",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-query"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkAgent"
}
},
{
"@id": "d3f:CWE-595",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-595",
"d3f:definition": "The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.",
"rdfs:label": "Comparison of Object References Instead of Object Contents",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1025"
}
},
{
"@id": "d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2014-05-001/"
},
"d3f:kb-abstract": "Microsoft Windows uses its implementation of Distributed Computing Environment/Remote Procedure Call (DCE/RPC), which it calls Microsoft RPC, to call certain APIs remotely.\n\nA Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.\n\nRPC is a legitimate functionality of Windows that allows remote interaction with a variety of services. For a Windows environment to be properly configured, several programs use RPC to communicate legitimately with servers. The background and benign RPC activity may be enormous, but must be learned, especially peer-to-peer RPC between workstations, which is often indicative of Lateral Movement.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:RPCTrafficAnalysis"
},
"d3f:kb-reference-title": "CAR-2014-05-001: RPC Activity",
"rdfs:label": "Reference - CAR-2014-05-001: RPC Activity - MITRE"
},
{
"@id": "d3f:Skewness",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SKE",
"d3f:definition": "Skewness is a measure of the asymmetry of the probability distribution of a real-valued random variable about its mean. The standardized moment of a probability distribution function.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Skewness. [Link](https://en.wikipedia.org/wiki/Skewness)",
"rdfs:label": "Skewness",
"rdfs:subClassOf": {
"@id": "d3f:DistributionProperties"
}
},
{
"@id": "d3f:NetworkConnectionFailEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a network connection attempt fails.",
"rdfs:label": "Network Connection Fail Event",
"rdfs:subClassOf": {
"@id": "d3f:NetworkConnectionEvent"
}
},
{
"@id": "d3f:d3fend-kb-reference-annotation",
"@type": "owl:AnnotationProperty",
"d3f:definition": "x d3fend-kb-data-property y: The reference x has the data property y.",
"rdfs:domain": {
"@id": "d3f:TechniqueReference"
},
"rdfs:label": "d3fend-kb-reference-annotation",
"rdfs:range": {
"@id": "xsd:string"
},
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-kb-annotation-property"
}
},
{
"@id": "d3f:LinuxConnect",
"@type": "owl:Class",
"d3f:definition": "Initiate a connection on a socket.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/connect.2.html"
},
"rdfs:label": "Linux Connect",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIConnectSocket"
}
},
{
"@id": "d3f:T1608.003",
"@type": "owl:Class",
"d3f:attack-id": "T1608.003",
"d3f:definition": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)",
"rdfs:label": "Install Digital Certificate",
"rdfs:subClassOf": {
"@id": "d3f:T1608"
}
},
{
"@id": "d3f:BookReference",
"@type": "owl:Class",
"d3f:pref-label": "Book",
"rdfs:label": "Book Reference",
"rdfs:subClassOf": {
"@id": "d3f:TechniqueReference"
}
},
{
"@id": "d3f:CWE-296",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-296",
"d3f:definition": "The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.",
"rdfs:label": "Improper Following of a Certificate's Chain of Trust",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-295"
},
{
"@id": "d3f:CWE-573"
}
]
},
{
"@id": "d3f:CWE-147",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-147",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.",
"rdfs:label": "Improper Neutralization of Input Terminators",
"rdfs:subClassOf": {
"@id": "d3f:CWE-138"
}
},
{
"@id": "d3f:T1584.004",
"@type": "owl:Class",
"d3f:attack-id": "T1584.004",
"d3f:definition": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.",
"rdfs:label": "Server",
"rdfs:subClassOf": {
"@id": "d3f:T1584"
}
},
{
"@id": "d3f:Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-11-006/"
},
"d3f:kb-abstract": "Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-11-006: Local Permission Group Discovery",
"rdfs:label": "Reference - CAR-2020-11-006: Local Permission Group Discovery - MITRE"
},
{
"@id": "d3f:AccessControlAdministrationEvent",
"@type": "owl:Class",
"d3f:definition": "An event concerning the administrative actions of setting, modifying, or abolishing permissions, configuring access control settings, and managing user access rights to ensure alignment with access control policies.",
"rdfs:label": "Access Control Administration Event",
"rdfs:subClassOf": {
"@id": "d3f:AccessControlEvent"
},
"skos:altLabel": [
"Permission Administration Event",
"Permission Provisioning Event"
]
},
{
"@id": "d3f:DiskImage",
"@type": "owl:Class",
"d3f:definition": "A disk image is a snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device.",
"rdfs:isDefinedBy": {
"@id": "https://en.wikipedia.org/wiki/Disk_image"
},
"rdfs:label": "Disk Image",
"rdfs:seeAlso": {
"@id": "https://dbpedia.org/resource/Disk_image"
},
"rdfs:subClassOf": {
"@id": "d3f:StorageImage"
}
},
{
"@id": "d3f:CWE-300",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-300",
"d3f:definition": "The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.",
"d3f:synonym": [
"Adversary-in-the-Middle / AITM",
"Interception attack",
"Man-in-the-Middle / MITM",
"Manipulator-in-the-Middle",
"Monkey-in-the-Middle",
"Monster-in-the-Middle",
"On-path attack",
"Person-in-the-Middle / PITM"
],
"rdfs:label": "Channel Accessible by Non-Endpoint",
"rdfs:subClassOf": {
"@id": "d3f:CWE-923"
}
},
{
"@id": "d3f:T1553",
"@type": "owl:Class",
"d3f:attack-id": "T1553",
"d3f:definition": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.",
"rdfs:label": "Subvert Trust Controls",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:CWE-1336",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1336",
"d3f:definition": "The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.",
"d3f:synonym": [
"Client-Side Template Injection / CSTI",
"Server-Side Template Injection / SSTI"
],
"rdfs:label": "Improper Neutralization of Special Elements Used in a Template Engine",
"rdfs:subClassOf": {
"@id": "d3f:CWE-94"
}
},
{
"@id": "d3f:WebApplicationFirewall",
"@type": "owl:Class",
"d3f:definition": "A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.",
"rdfs:isDefinedBy": {
"@id": "dbr:Web_application_firewall"
},
"rdfs:label": "Web Application Firewall",
"rdfs:subClassOf": {
"@id": "d3f:ApplicationLayerFirewall"
},
"skos:altLabel": "WAF"
},
{
"@id": "d3f:Open-sourceDeveloper",
"@type": "owl:Class",
"d3f:definition": "An open-source developer contributes to the development, maintenance, or improvement of open-source projects.",
"rdfs:label": "Open-source Developer",
"rdfs:subClassOf": {
"@id": "d3f:ProductDeveloper"
}
},
{
"@id": "d3f:Prolog",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PRO",
"d3f:definition": "Prolog has its roots in first-order logic, a formal logic, and unlike many other programming languages.",
"d3f:kb-article": "## How it works\nProlog is intended primarily as a declarative programming language: the program logic is expressed in terms of relations, represented as facts and rules. A computation is initiated by running a query over these relations.\n\n## References\n1. Prolog. (2023, April 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Prolog)",
"rdfs:label": "Prolog",
"rdfs:subClassOf": {
"@id": "d3f:LogicProgramming"
}
},
{
"@id": "d3f:T1539",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:SessionCookie"
},
"d3f:attack-id": "T1539",
"d3f:definition": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.",
"rdfs:label": "Steal Web Session Cookie",
"rdfs:subClassOf": [
{
"@id": "d3f:CredentialAccessTechnique"
},
{
"@id": "_:Ne600f498464349b1851a3cb20315bfa5"
}
]
},
{
"@id": "_:Ne600f498464349b1851a3cb20315bfa5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:SessionCookie"
}
},
{
"@id": "d3f:CWE-1223",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1223",
"d3f:definition": "A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.",
"rdfs:label": "Race Condition for Write-Once Attributes",
"rdfs:subClassOf": {
"@id": "d3f:CWE-362"
}
},
{
"@id": "d3f:DS0014",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "A single unit of shared resources within a cluster, comprised of one or more containers",
"rdfs:comment": "This data source captures events relating to pods and therefore has no direct mappings to digital artifacts.",
"rdfs:label": "Pod (ATT&CK DS)"
},
{
"@id": "d3f:MemoryBlockStartValidation",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3-MBSV",
"d3f:definition": "Ensuring that a pointer accurately references the beginning of a designated memory block.",
"d3f:hardens": {
"@id": "d3f:MemoryFreeFunction"
},
"d3f:kb-article": "## How it Works\nEnsure that a pointer is referencing the beginning of the intended block before using.\n\n## Considerations\nBe careful with pointer arithmetic.",
"d3f:kb-reference": {
"@id": "d3f:Reference-CManualPointerArithmetic_GNU"
},
"rdfs:label": "Memory Block Start Validation",
"rdfs:subClassOf": [
{
"@id": "d3f:PointerValidation"
},
{
"@id": "_:Nbc6f1957e22349c0bfb0911076829038"
}
]
},
{
"@id": "_:Nbc6f1957e22349c0bfb0911076829038",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:hardens"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryFreeFunction"
}
},
{
"@id": "d3f:DigitalAudioVisualMedia",
"@type": "owl:Class",
"d3f:definition": "Audiovisual (AV) is electronic media possessing both a sound and a visual component.",
"rdfs:isDefinedBy": "https://dbpedia.org/page/Audiovisual",
"rdfs:label": "Digital Audio Visual Media",
"rdfs:subClassOf": {
"@id": "d3f:DigitalMultimedia"
}
},
{
"@id": "d3f:CWE-759",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-759",
"d3f:definition": "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.",
"rdfs:label": "Use of a One-Way Hash without a Salt",
"rdfs:subClassOf": {
"@id": "d3f:CWE-916"
}
},
{
"@id": "d3f:CWE-161",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-161",
"d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
"rdfs:label": "Improper Neutralization of Multiple Leading Special Elements",
"rdfs:subClassOf": {
"@id": "d3f:CWE-160"
}
},
{
"@id": "d3f:AccessMediator",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An Access Mediator enforces access control policies to regulate interactions with a resource.",
"d3f:implements": {
"@id": "d3f:AccessControlConfiguration"
},
"d3f:mediates-access-to": {
"@id": "d3f:Resource"
},
"d3f:used-by": {
"@id": "d3f:Agent"
},
"rdfs:label": "Access Mediator",
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N74ed58261a91469e8db821d38361b71b"
},
{
"@id": "_:N7a573547ff454157a737b7a31003cc99"
},
{
"@id": "_:Nf6707dbc94e543f6bdfae43180a7021c"
}
]
},
{
"@id": "_:N74ed58261a91469e8db821d38361b71b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:implements"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessControlConfiguration"
}
},
{
"@id": "_:N7a573547ff454157a737b7a31003cc99",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:mediates-access-to"
},
"owl:someValuesFrom": {
"@id": "d3f:Resource"
}
},
{
"@id": "_:Nf6707dbc94e543f6bdfae43180a7021c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:used-by"
},
"owl:someValuesFrom": {
"@id": "d3f:Agent"
}
},
{
"@id": "d3f:CWE-285",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-285",
"d3f:definition": "The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.",
"d3f:synonym": "AuthZ",
"rdfs:label": "Improper Authorization",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:M1022",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": {
"@id": "d3f:LocalFilePermissions"
},
"rdfs:label": "Restrict File and Directory Permissions"
},
{
"@id": "d3f:CWE-1021",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1021",
"d3f:definition": "The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.",
"d3f:synonym": [
"Clickjacking",
"Tapjacking",
"UI Redress Attack"
],
"rdfs:label": "Improper Restriction of Rendered UI Layers or Frames",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-441"
},
{
"@id": "d3f:CWE-451"
}
]
},
{
"@id": "d3f:M1024",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": {
"@id": "d3f:SystemConfigurationPermissions"
},
"rdfs:label": "Restrict Registry Permission"
},
{
"@id": "d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20070028302A1/en?oq=US-2007028302-A1"
},
"d3f:kb-abstract": "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. A server associated with a number of hosts can provide a query for host computers to access security-related meta-information in local host stores. The query is pulled from the server by the hosts. The results of the distributed host query are stored and merged on the server, and exported for display, reports, or security response.",
"d3f:kb-author": "Todd Brennan; John Hanratty",
"d3f:kb-mitre-analysis": "Provides a mechanism to detect, monitor, locate, and control files installed on host computers. Each host has a host agent that analyzes file system activity and takes action based on policies configured on a server. The policies identify whether to block, log, allow, or quarantine actions such as file accesses and execution of executables. Examples of policies include:\n\n* Block/log execution of new executables and detached scripts (e.g., .exe or .bat)\n* Block/log reading/execution of new embedded content (e.g., macros in .doc)\n* Block/log installation/modification of Web content (alteration of content in .html or .cgi files)\n* Block/log execution of new files in an administratively defined 'class'; e.g., an administrator might want to block screen savers .scr, but not the entire class of executables .exe, .dll, .sys, etc . . .",
"d3f:kb-organization": "Bit 9 Inc",
"d3f:kb-reference-of": {
"@id": "d3f:FileContentRules"
},
"d3f:kb-reference-title": "Distributed meta-information query in a network",
"rdfs:label": "Reference - Distributed meta-information query in a network - Bit 9 Inc"
},
{
"@id": "d3f:CCI-000162_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system protects audit information from unauthorized access.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:CredentialHardening"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-22T00:00:00"
},
"rdfs:label": "CCI-000162"
},
{
"@id": "d3f:T1058",
"@type": "owl:Class",
"d3f:attack-id": "T1058",
"d3f:definition": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1574.011",
"rdfs:label": "Service Registry Permissions Weakness",
"rdfs:seeAlso": "T1574.011",
"rdfs:subClassOf": [
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:DHCPService",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A DHCP service assigns IP address and modifies network configurations.",
"d3f:may-produce": {
"@id": "d3f:DHCPNetworkTraffic"
},
"rdfs:label": "DHCP Service",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkService"
},
{
"@id": "_:Nd9b789a0b2df4231839604302bb18144"
}
]
},
{
"@id": "_:Nd9b789a0b2df4231839604302bb18144",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-produce"
},
"owl:someValuesFrom": {
"@id": "d3f:DHCPNetworkTraffic"
}
},
{
"@id": "d3f:QueryByCommittee",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-QBC",
"d3f:definition": "Query by Committee (QBC) takes inspiration from ensemble methods. Instead of just one classifier, it takes into account the decision of a committee C=ℎ1,…,ℎc of classifiers ℎi. Each classifier has the same target classes, but a different underlying model or a different view on the data.",
"d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
"rdfs:label": "Query By Committee",
"rdfs:subClassOf": {
"@id": "d3f:ActiveLearning"
}
},
{
"@id": "d3f:RegressionAnalysisLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-RAL",
"d3f:definition": "Regression is used to understand the relationship between dependent and independent variables which is then used to make projections, such as for sales revenue for a given business.",
"d3f:kb-article": "## References\nSupervised Learning. IBM. [Link](https://www.ibm.com/topics/supervised-learning).",
"rdfs:label": "Regression Analysis Learning",
"rdfs:subClassOf": {
"@id": "d3f:SupervisedLearning"
}
},
{
"@id": "d3f:OTCreateDataCommandEvent",
"@type": "owl:Class",
"d3f:definition": "OT command that creates data on a remote device.",
"rdfs:label": "OT Create Data Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTWriteCommandEvent"
},
{
"@id": "_:N4433299d61754719a0b103d9fce89785"
}
]
},
{
"@id": "_:N4433299d61754719a0b103d9fce89785",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTCreateDataCommand"
}
},
{
"@id": "d3f:CWE-1262",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1262",
"d3f:definition": "The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.",
"rdfs:label": "Improper Access Control for Register Interface",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:CWE-597",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-597",
"d3f:definition": "The product uses the wrong operator when comparing a string, such as using \"==\" when the .equals() method should be used instead.",
"rdfs:label": "Use of Wrong Operator in String Comparison",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-480"
},
{
"@id": "d3f:CWE-595"
}
]
},
{
"@id": "d3f:ScheduledJobEnableEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a scheduled task is activated, allowing it to execute according to its defined parameters.",
"rdfs:label": "Scheduled Job Enable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ScheduledJobEvent"
},
{
"@id": "_:N90abcca2dcbc48e38af10403d28c2ca4"
}
]
},
{
"@id": "_:N90abcca2dcbc48e38af10403d28c2ca4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ScheduledJobCreationEvent"
}
},
{
"@id": "d3f:OTDeviceConfigurationCommand",
"@type": "owl:Class",
"d3f:definition": "Configure or administer managed devices.",
"rdfs:comment": [
"BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
"GE-SRTP: READ PROGRAM MEMORY\nGE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: SET PLC (RUN VS STOP)\nGE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY"
],
"rdfs:label": "OT Device Configuration Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTDeviceManagementMessage"
}
},
{
"@id": "d3f:enabled-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x enabled-by y: A top level technique y enables a tactic x, that is, the property indicates that a technique y is used to put a particular tactic x into action. In other words, y renders x capable or able for some task. Inverse of enables.",
"owl:inverseOf": {
"@id": "d3f:enables"
},
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/00513958-v"
},
"rdfs:label": "enabled-by",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:DHCPInformEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a DHCP client sends an INFORM message to request configuration parameters, such as DNS or gateway information, without requiring IP address assignment.",
"rdfs:label": "DHCP Inform Event",
"rdfs:subClassOf": {
"@id": "d3f:DHCPEvent"
},
"skos:altLabel": "DHCPINFORM"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_21",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Information Flow Enforcement | Physical or Logical Separation of Information Flows",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"rdfs:label": "AC-4(21)"
},
{
"@id": "d3f:User",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A user is a person [or agent] who uses a computer or network service. Users generally use a system or a software product without the technical expertise required to fully understand it. Power users use advanced features of programs, though they are not necessarily capable of computer programming and system administration. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), nickname (or nick) and handle, which is derived from the identical Citizen's Band radio term. Some software products provide services to other systems and have no direct end users.",
"d3f:has-account": {
"@id": "d3f:UserAccount"
},
"d3f:restricted-by": {
"@id": "d3f:AccessControlList"
},
"rdfs:isDefinedBy": {
"@id": "dbr:User_(computing)"
},
"rdfs:label": "User",
"rdfs:seeAlso": [
{
"@id": "d3f:UserAccount"
},
{
"@id": "http://wordnet-rdf.princeton.edu/id/10761247-n"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:Agent"
},
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:Ne2989d267125435895a3ae9bd07275a9"
},
{
"@id": "_:Nb33925571f8e445a84b4a041f08d828b"
}
]
},
{
"@id": "_:Ne2989d267125435895a3ae9bd07275a9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-account"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "_:Nb33925571f8e445a84b4a041f08d828b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricted-by"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessControlList"
}
},
{
"@id": "d3f:HardwareComponentInventory",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:HardwareComponentInventory"
],
"d3f:d3fend-id": "D3-HCI",
"d3f:definition": "Hardware component inventorying identifies and records the hardware items in the organization's architecture.",
"d3f:inventories": {
"@id": "d3f:HardwareDevice"
},
"d3f:kb-article": "## How it works\nAdministrators collect information on hardware devices such as peripherals, NICs, processors, and memory devices that are components of the computers in their architecture using a variety of administrative and management tools that query for this information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through remote adminstration tools and system commands, either manually or using scripts.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal hardware inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools\n\n## Examples\n* Bus discovery\n * Admin-scripted PCI Bus inventory using ssh and pciutils\n* Application-layer discovery\n * Simple Network Management Protocol (SNMP) collects MIB information\n * Web-based Enterprise Management (WBEM) collects CIM information\n * Windows Management Instrumentation (WMI)\n * Windows Management Infrastructure (MI)",
"d3f:kb-reference": {
"@id": "d3f:Reference-AdvancedDeviceMatchingSystem"
},
"d3f:synonym": [
"Hardware Component Discovery",
"Hardware Component Inventorying"
],
"rdfs:label": "Hardware Component Inventory",
"rdfs:subClassOf": [
{
"@id": "d3f:AssetInventory"
},
{
"@id": "_:Nb6c8e2314df042c9adaf3469f85b1f22"
}
]
},
{
"@id": "_:Nb6c8e2314df042c9adaf3469f85b1f22",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:inventories"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:RestoreSoftware",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RestoreSoftware"
],
"d3f:d3fend-id": "D3-RS",
"d3f:definition": "Restoring software to a host.",
"d3f:kb-reference": {
"@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
},
"d3f:restores": {
"@id": "d3f:Software"
},
"rdfs:label": "Restore Software",
"rdfs:subClassOf": [
{
"@id": "d3f:RestoreObject"
},
{
"@id": "_:N7dacacd949e94cc98bc6c9917719d215"
}
]
},
{
"@id": "_:N7dacacd949e94cc98bc6c9917719d215",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restores"
},
"owl:someValuesFrom": {
"@id": "d3f:Software"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_IA-2_1",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": {
"@id": "d3f:Multi-factorAuthentication"
},
"rdfs:label": "IA-2(1)"
},
{
"@id": "d3f:LinuxRead",
"@type": "owl:Class",
"d3f:definition": "Read from a file descriptor.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/read.2.html"
},
"rdfs:label": "Linux Read",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIReadFile"
}
},
{
"@id": "d3f:CWE-797",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-797",
"d3f:definition": "The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. \"byte number 10\"), thereby missing remaining special elements that may exist before sending it to a downstream component.",
"rdfs:label": "Only Filtering Special Elements at an Absolute Position",
"rdfs:subClassOf": {
"@id": "d3f:CWE-795"
}
},
{
"@id": "d3f:CCI-002690_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:FileContentRules"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system distributes indicators of compromise.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002690"
},
{
"@id": "d3f:T1220",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:adds": {
"@id": "d3f:File"
},
"d3f:attack-id": "T1220",
"d3f:definition": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)",
"d3f:interprets": {
"@id": "d3f:ExecutableScript"
},
"d3f:invokes": {
"@id": "d3f:CreateProcess"
},
"rdfs:label": "XSL Script Processing",
"rdfs:subClassOf": [
{
"@id": "d3f:DefenseEvasionTechnique"
},
{
"@id": "_:Ne6c32b1b3ed74237a89eb6ad8c693b4d"
},
{
"@id": "_:N6c5806738c32416cb8600185c582486f"
},
{
"@id": "_:N98ed6193a0eb498c9b971ece8ce6cb54"
}
]
},
{
"@id": "_:Ne6c32b1b3ed74237a89eb6ad8c693b4d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:adds"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "_:N6c5806738c32416cb8600185c582486f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:interprets"
},
"owl:someValuesFrom": {
"@id": "d3f:ExecutableScript"
}
},
{
"@id": "_:N98ed6193a0eb498c9b971ece8ce6cb54",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "d3f:AdobePDFFile1.3",
"@type": [
"owl:NamedIndividual",
"d3f:DocumentFile"
],
"d3f:may-contain": {
"@id": "d3f:JavascriptFile"
},
"rdfs:label": "Adobe PDF File 1.3"
},
{
"@id": "d3f:Semi-supervisedCluster-then-label",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSCTL",
"d3f:definition": "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data.",
"d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
"rdfs:label": "Semi-supervised Cluster-then-label",
"rdfs:subClassOf": {
"@id": "d3f:UnsupervisedPreprocessing"
}
},
{
"@id": "d3f:AuthenticationEventThresholding",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:AuthenticationEventThresholding"
],
"d3f:analyzes": {
"@id": "d3f:Authentication"
},
"d3f:created": {
"@type": "xsd:dateTime",
"@value": "2020-08-05T00:00:00"
},
"d3f:d3fend-id": "D3-ANET",
"d3f:definition": "Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.",
"d3f:kb-article": "## How it works\nAuthentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic.\n\n### Actions\nAs a result of the analysis, actions taken could include:\n\n* [Account Locking](/technique/d3f:AccountLocking)\n* Raising an alert\n\n### Example data sources\n * Directory server logs\n * VPN Server logs\n * IDAM Capability logs\n * NAC logs\n * Authentication client logs\n * Kerberos network traffic\n * LDAP network traffic\n\n## Considerations\n\nThis technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
},
{
"@id": "d3f:Reference-SimultaneousLoginsOnAHost_MITRE"
},
{
"@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE"
},
{
"@id": "d3f:Reference-UserLoginActivityMonitoring_MITRE"
},
{
"@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
}
],
"rdfs:label": "Authentication Event Thresholding",
"rdfs:subClassOf": [
{
"@id": "d3f:UserBehaviorAnalysis"
},
{
"@id": "_:N9fb03f0e296244db84e58c6b585c9215"
}
]
},
{
"@id": "_:N9fb03f0e296244db84e58c6b585c9215",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:Authentication"
}
},
{
"@id": "d3f:Credential",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:authenticates": {
"@id": "d3f:UserAccount"
},
"d3f:definition": "A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something a person knows (such as a number or PIN), something they have (such as an access badge), something they are (such as a biometric feature), something they do (measurable behavioral patterns) or some combination of these items. This is known as multi-factor authentication. The typical credential is an access card or key-fob, and newer software can also turn users' smartphones into access devices.",
"rdfs:isDefinedBy": {
"@id": "http://dbpedia.org/resource/Access_control#Credential"
},
"rdfs:label": "Credential",
"rdfs:seeAlso": {
"@id": "dbr:Access_control"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "_:N45643fbf35d94c45949c3bf0ca49ce6d"
}
]
},
{
"@id": "_:N45643fbf35d94c45949c3bf0ca49ce6d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:authenticates"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "d3f:ConfigurationResource",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A resource used to configure a system including software and hardware.",
"rdfs:label": "Configuration Resource",
"rdfs:subClassOf": {
"@id": "d3f:Resource"
}
},
{
"@id": "d3f:IntrusionDetectionSystem",
"@type": "owl:Class",
"d3f:definition": "An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.",
"rdfs:isDefinedBy": {
"@id": "dbr:Intrusion_detection_system"
},
"rdfs:label": "Intrusion Detection System",
"rdfs:subClassOf": {
"@id": "d3f:DigitalInformationBearer"
},
"skos:altLabel": "IDS"
},
{
"@id": "d3f:TunnelEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving the establishment, usage, or termination of a network tunnel. Tunnels provide encapsulated communication pathways across various layers, enabling secure, isolated, or virtualized transport of data.",
"rdfs:label": "Tunnel Event",
"rdfs:subClassOf": {
"@id": "d3f:NetworkEvent"
}
},
{
"@id": "d3f:d3fend-general-object-property",
"@type": "owl:ObjectProperty",
"rdfs:label": "d3fend-general-object-property",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-object-property"
}
},
{
"@id": "d3f:T1059.002",
"@type": "owl:Class",
"d3f:attack-id": "T1059.002",
"d3f:definition": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.",
"rdfs:label": "AppleScript",
"rdfs:subClassOf": {
"@id": "d3f:T1059"
}
},
{
"@id": "d3f:Reference-Munin",
"@type": [
"owl:NamedIndividual",
"d3f:SourceCodeReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://github.com/Neo23x0/munin"
},
"d3f:kb-author": "Florian Roth",
"d3f:kb-reference-title": "Online Hash Checker for Virustotal and Other Services",
"rdfs:label": "Reference - Munin"
},
{
"@id": "d3f:SystemUtilizationRecord",
"@type": "owl:Class",
"d3f:definition": "A system utilization record is a record for the tracking of resource utilization e.g. CPU, Disk, Network, Memory Bandwidth, GPU, or other resources for a given time period.",
"rdfs:label": "System Utilization Record",
"rdfs:subClassOf": {
"@id": "d3f:Record"
}
},
{
"@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US10079749B2/en"
},
"d3f:kb-abstract": "Various embodiments pertain to communication network systems. In particular, various embodiments relate to multi-path probing in communication network systems that can be used to estimate the complete topology of the network. A method includes receiving data at a source node from a tracerouting probe in a network. The data includes information about at least one network node. The method also includes determining an identification for the at least one network node based on information. In addition, the method includes using the identification of the at least one network node to determine an identification of at least one device.",
"d3f:kb-author": "Tomas KUBIK, Lan Li, Tomas RYBKA, Karlo ZATYLNY, Chris O'Brien",
"d3f:kb-organization": "SolarWinds Worldwide LLC",
"d3f:kb-reference-title": "Identification of traceroute nodes and associated devices",
"rdfs:label": "Reference - Identification of traceroute nodes and associated devices"
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-6_9",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": [
{
"@id": "d3f:LocalAccountMonitoring"
},
{
"@id": "d3f:UserBehaviorAnalysis"
}
],
"d3f:control-name": "Least Privilege | Log Use of Privileged Functions",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-6(9)"
},
{
"@id": "d3f:T1104",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1104",
"d3f:definition": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.",
"d3f:produces": {
"@id": "d3f:OutboundInternetNetworkTraffic"
},
"rdfs:label": "Multi-Stage Channels",
"rdfs:subClassOf": [
{
"@id": "d3f:CommandAndControlTechnique"
},
{
"@id": "_:N0dc4f8fa9a2f47439918632d9cd345f0"
}
]
},
{
"@id": "_:N0dc4f8fa9a2f47439918632d9cd345f0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetNetworkTraffic"
}
},
{
"@id": "d3f:CWE-41",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-41",
"d3f:definition": "The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.",
"rdfs:label": "Improper Resolution of Path Equivalence",
"rdfs:subClassOf": {
"@id": "d3f:CWE-706"
}
},
{
"@id": "d3f:CCI-002322_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:RemoteTerminalSessionDetection"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-06-24T00:00:00"
},
"rdfs:label": "CCI-002322"
},
{
"@id": "d3f:CWE-799",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-799",
"d3f:definition": "The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.",
"d3f:synonym": [
"Brute force",
"Insufficient anti-automation"
],
"rdfs:label": "Improper Control of Interaction Frequency",
"rdfs:subClassOf": {
"@id": "d3f:CWE-691"
}
},
{
"@id": "d3f:InternetArticleReference",
"@type": "owl:Class",
"d3f:pref-label": "Internet Article",
"rdfs:label": "Internet Article Reference",
"rdfs:subClassOf": {
"@id": "d3f:TechniqueReference"
},
"skos:altLabel": "Internet Blog Reference"
},
{
"@id": "d3f:OTLogicVariable",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A variable which directly affects a program running on an OT controller, involving an OT Process.",
"rdfs:label": "OT Logic Variable",
"rdfs:subClassOf": {
"@id": "d3f:RuntimeVariable"
}
},
{
"@id": "d3f:HardLink",
"@type": "owl:Class",
"d3f:definition": "In computing, a hard link is a directory entry that associates a name with a file on a file system. All directory-based file systems must have at least one hard link giving the original name for each file. The term \"hard link\" is usually only used in file systems that allow more than one hard link for the same file. Multiple hard links -- that is, multiple directory entries to the same file -- are supported by POSIX-compliant and partially POSIX-compliant operating systems, such as Linux, Android, macOS, and also Windows NT4 and later Windows NT operating systems.",
"rdfs:isDefinedBy": {
"@id": "dbr:Hard_link"
},
"rdfs:label": "Hard Link",
"rdfs:subClassOf": {
"@id": "d3f:FileSystemLink"
}
},
{
"@id": "d3f:T1552.001",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:File"
},
"d3f:attack-id": "T1552.001",
"d3f:definition": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.",
"rdfs:label": "Credentials In Files",
"rdfs:subClassOf": [
{
"@id": "d3f:T1552"
},
{
"@id": "_:N2c4edf0c72e14dad81bac469a51bdffa"
}
]
},
{
"@id": "_:N2c4edf0c72e14dad81bac469a51bdffa",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:T1574.013",
"@type": "owl:Class",
"d3f:attack-id": "T1574.013",
"d3f:definition": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)",
"rdfs:label": "KernelCallbackTable",
"rdfs:subClassOf": {
"@id": "d3f:T1574"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-4_28",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Information Flow Enforcement | Linear Filter Pipelines",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:OutboundTrafficFiltering"
}
],
"rdfs:label": "AC-4(28)"
},
{
"@id": "d3f:DetectionEvent",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An event capturing the identification of a potential security issue, such as unauthorized access attempts, policy violations, or anomalous activities. Detection events form the foundation of cybersecurity monitoring and response.",
"d3f:related": {
"@id": "d3f:Detect"
},
"rdfs:label": "Detection Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/categories/findings"
},
"rdfs:subClassOf": {
"@id": "d3f:SecurityEvent"
}
},
{
"@id": "d3f:LinuxSocketcallArgumentSYS_CONNECT",
"@type": "owl:Class",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/socketcall.2.html"
},
"rdfs:label": "Linux Socketcall Argument SYS_CONNECT",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIConnectSocket"
}
},
{
"@id": "d3f:CWE-614",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-614",
"d3f:definition": "The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.",
"rdfs:label": "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
"rdfs:subClassOf": {
"@id": "d3f:CWE-319"
}
},
{
"@id": "d3f:LinuxFork",
"@type": "owl:Class",
"d3f:definition": "Creates a child process with unique PID but retains parent PID as Parent Process Identifier (PPID).",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/fork.2.html"
},
"rdfs:label": "Linux Fork",
"rdfs:subClassOf": {
"@id": "d3f:OSAPICreateProcess"
}
},
{
"@id": "d3f:UserInitConfigurationFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A user initialization configuration file is a file containing the information necessary to configure that part of a user's environment which is common to all applications and actions. User configurations may be overridden by more specific configuration information (such as that found in a application configuration file.)",
"rdfs:label": "User Init Configuration File",
"rdfs:subClassOf": [
{
"@id": "d3f:ConfigurationFile"
},
{
"@id": "d3f:UserLogonInitResource"
}
],
"skos:altLabel": "User Configuration File"
},
{
"@id": "d3f:Semi-supervisedBoosting",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSB",
"d3f:definition": "Boosting methods can be readily extended to the semi-supervised setting, by introducing pseudo-labeled data after each learning step; which gives rise to the idea of semi-supervised boosting methods. The pseudo-labeling approach of self- training and co-training can be easily extended to boosting methods. Several boosting methods such as SSMBoost, ASSEMBLE, SemiBoost, RegBoost, etc can be found which can be applied for utilizing unlabeled datasets for supervised classifiers.",
"d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
"rdfs:label": "Semi-supervised Boosting",
"rdfs:subClassOf": {
"@id": "d3f:Semi-supervisedWrapperMethod"
}
},
{
"@id": "d3f:Application-basedProcessIsolation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:Application-basedProcessIsolation"
],
"d3f:d3fend-id": "D3-ABPI",
"d3f:definition": "Application code which prevents its own subroutines from accessing intra-process / internal memory space.",
"d3f:isolates": {
"@id": "d3f:Process"
},
"d3f:kb-article": "## How it works\nSome applications implement logic to permit or deny a particular subroutine access to other data within the same applicaition process. This is intended to prevent critical application process data from being tampered with.\n\n### Application-based Process Isolation in web browsers.\n\nIsolation in browsers usually is designed with the following architectural mindset:\n* Sandboxes and web resources should not be allowed to access each other because compromise of one should not effect the other.\n* The principle of least-privilege should be followed when browsing.\nThe following aspects help make browser-based process isolation possible:\n* Same Origin Policy\n* Separate tabs and iframes use their own DOMs (cross-site document object models always run as a different process)\n* CORS ensures cross-site data is not delivered to a process unless the server allows it\n* Cookie and local data storage is separated by domain/site\n* Separate execution environments (threads)\n\n## Considerations\n- Using isolation in browsers does mitigate and protect by default some types of attacks (e.g. renderer attacks and access to the filesystem) but it depends on correct configuration of CORS, use of valid/appropriate certificates.\n- Application-based Process Isolation may increase memory footprint.\n- Application-based Process Isolation may decrease application performance.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-PrivateApplicationAccessWithBrowserIsolation"
},
{
"@id": "d3f:Reference-ProtectingWebApplicationsFromUntrustedEndpointsUsingRemoteBrowserIsolation"
},
{
"@id": "d3f:Reference-SiteIsolationDesignDocument"
}
],
"d3f:restricts": {
"@id": "d3f:Subroutine"
},
"d3f:synonym": [
"Browser-based Process Isolation",
"Remote Browser Isolation",
"Sandbox"
],
"rdfs:label": "Application-based Process Isolation",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutionIsolation"
},
{
"@id": "_:N459f2f0aad94496c8bf0519a2a5c1eff"
},
{
"@id": "_:Nde3b60af4d734900bd3363b13b78f029"
}
]
},
{
"@id": "_:N459f2f0aad94496c8bf0519a2a5c1eff",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:isolates"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "_:Nde3b60af4d734900bd3363b13b78f029",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:restricts"
},
"owl:someValuesFrom": {
"@id": "d3f:Subroutine"
}
},
{
"@id": "d3f:IdentifierActivityAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:IdentifierActivityAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:Identifier"
},
"d3f:d3fend-id": "D3-IAA",
"d3f:definition": "Taking known malicious identifiers and determining if they are present in a system.",
"d3f:kb-article": "## How it works\n\nIdentifier activity analysis is the process of taking identifiers--typically known malicious identifiers--and determining the artifacts that have interacted with those identifiers.\n\nThere are many open and closed source repositories of identifiers that represent indicators of compromise. For example, VirusTotal contains hash signatures of malware and IP Addresses used by threat actors. Defenders can search for these indicators of compromise their own systems to gain context on activity around an identifier.\n\n## Considerations\n\nIndicator activity analysis is a good way to gain high precision analysis, but adversaries can modify their own signatures such as hashes quickly to evade detection. This is related to David Bianco’s Pyramid of Pain - Indicators on the lower level (hash values, IP addresses domain names) are easy for adversaries to change.\n\nIdentifier activity data of interest for analysis with the identifier might include, but is not limited to:\n\n* network traffic activity where the identifier was used to identify communicating entities or referred to in the communication\n* process activity referencing the identifier, especially for resource access\n* file activity referencing the identifier\n* registry settings referencing the identifier",
"d3f:kb-reference": {
"@id": "d3f:Reference-ThePyramidOfPain-DavidBianco"
},
"rdfs:label": "Identifier Activity Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:IdentifierAnalysis"
},
{
"@id": "_:N2f3a15c3e565476aa6dcd6dac23ab772"
}
]
},
{
"@id": "_:N2f3a15c3e565476aa6dcd6dac23ab772",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:Identifier"
}
},
{
"@id": "d3f:T1569.003",
"@type": "owl:Class",
"d3f:attack-id": "T1569.003",
"d3f:definition": "Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.",
"rdfs:label": "Systemctl",
"rdfs:subClassOf": {
"@id": "d3f:T1569"
}
},
{
"@id": "d3f:kb-organization",
"@type": "owl:AnnotationProperty",
"d3f:definition": "x kb-organization y: The reference x was created or owned by the organization y.",
"rdfs:label": "kb-organization",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-kb-annotation-property"
}
},
{
"@id": "d3f:NetworkAgent",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A network agent is software installed on a network node or device that transmits information back to a collector agent or management system. Kinds of network agents include SNMP Agent, IPMI agents, WBEM agents, and many proprietary agents capturing network monitoring and management information.",
"d3f:synonym": "Exporter",
"rdfs:label": "Network Agent",
"rdfs:subClassOf": {
"@id": "d3f:Software"
}
},
{
"@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20190081968A1/en"
},
"d3f:kb-abstract": "A system and method for assessing the identity fraud risk of an entity's (a user's, computer process's, or device's) behavior within a computer network and then to take appropriate action. The system uses real-time machine learning for its assessment. It records the entity's log-in behavior (conditions at log-in) and behavior once logged in to create an entity profile that helps identify behavior patterns. The system compares new entity behavior with the entity profile to determine a risk score and a confidence level for the behavior. If the risk score and confidence level indicate a credible identity fraud risk at log-in, the system can require more factors of authentication before log-in succeeds. If the system detects risky behavior after log-in, it can take remedial action such as ending the entity's session, curtailing the entity's privileges, or notifying a human administrator.",
"d3f:kb-author": "Yanlin Wang; Weizhi Li",
"d3f:kb-mitre-analysis": "This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:\n\n* logon and logoff times and locations\n* starting or ending applications\n* reading or writing files\n* changing an entity 's authorization\n* monitoring network traffic\n\nUser events that deviate from the entity profile over a certain threshold trigger a remedial action.",
"d3f:kb-organization": "Idaptive LLC",
"d3f:kb-reference-of": [
{
"@id": "d3f:AuthenticationEventThresholding"
},
{
"@id": "d3f:AuthorizationEventThresholding"
},
{
"@id": "d3f:ResourceAccessPatternAnalysis"
},
{
"@id": "d3f:SessionDurationAnalysis"
},
{
"@id": "d3f:UserGeolocationLogonPatternAnalysis"
}
],
"d3f:kb-reference-title": "Method and Apparatus for Network Fraud Detection and Remediation Through Analytics",
"rdfs:label": "Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC"
},
{
"@id": "d3f:PythonPackage",
"@type": "owl:Class",
"d3f:definition": "A Python package is an aggregation of many Python files - either in source code or in bytecode - and associated metadata and resources (text, images, etc.). Python packages can be distributed in different file formats.",
"rdfs:label": "Python Package",
"rdfs:seeAlso": {
"@id": "https://packaging.python.org/"
},
"rdfs:subClassOf": {
"@id": "d3f:SoftwarePackage"
}
},
{
"@id": "d3f:modified",
"@type": "owl:DatatypeProperty",
"d3f:definition": "Date on which the resource was changed.",
"rdfs:label": {
"@language": "en",
"@value": "date modified"
},
"rdfs:range": {
"@id": "xsd:dateTime"
},
"rdfs:subPropertyOf": {
"@id": "d3f:date"
}
},
{
"@id": "d3f:T1136.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1136.003",
"d3f:creates": {
"@id": "d3f:CloudUserAccount"
},
"d3f:definition": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)",
"rdfs:label": "Cloud Account",
"rdfs:subClassOf": [
{
"@id": "d3f:T1136"
},
{
"@id": "_:N2d09c0eed3284ce2a213eac009e94208"
}
]
},
{
"@id": "_:N2d09c0eed3284ce2a213eac009e94208",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:CloudUserAccount"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_AC-24",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Access Control Decisions",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "AC-24"
},
{
"@id": "d3f:InternetFileTransferTraffic",
"@type": "owl:Class",
"d3f:definition": "Internet file transfer network traffic is network traffic related to file transfers between network nodes that crosses a boundary between networks. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols.",
"rdfs:label": "Internet File Transfer Traffic",
"rdfs:subClassOf": [
{
"@id": "d3f:FileTransferNetworkTraffic"
},
{
"@id": "d3f:InternetNetworkTraffic"
}
]
},
{
"@id": "d3f:NetworkSession",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A network session is a temporary and interactive information interchange between two or more devices communicating over a network. A session is established at a certain point in time, and then 'torn down' - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. Network sessions may be established and implemented as part of protocols and services at the application, session, or transport layers of the OSI model.",
"d3f:produces": {
"@id": "d3f:NetworkTraffic"
},
"rdfs:label": "Network Session",
"rdfs:seeAlso": [
{
"@id": "dbr:OSI_model"
},
{
"@id": "dbr:Session_(computer_science)"
},
{
"@id": "https://schema.ocsf.io/objects/network_connection_info"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:Session"
},
{
"@id": "_:Nb2a54a06b58d4f1e8971d28b3cccf950"
}
]
},
{
"@id": "_:Nb2a54a06b58d4f1e8971d28b3cccf950",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTraffic"
}
},
{
"@id": "d3f:CWE-749",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-749",
"d3f:definition": "The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.",
"rdfs:label": "Exposed Dangerous Method or Function",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:CWE-1245",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1245",
"d3f:definition": "Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.",
"rdfs:label": "Improper Finite State Machines (FSMs) in Hardware Logic",
"rdfs:subClassOf": {
"@id": "d3f:CWE-684"
}
},
{
"@id": "d3f:restores",
"@type": "owl:ObjectProperty",
"d3f:definition": "x restores y: The entity x returns entity y to its known-good or previous state.",
"rdfs:label": "restores",
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:M1021",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:d3fend-comment": "M1021 scope is broad, touches on an wide variety of techniques in d3fend.",
"d3f:related": [
{
"@id": "d3f:DNSAllowlisting"
},
{
"@id": "d3f:DNSDenylisting"
},
{
"@id": "d3f:FileAnalysis"
},
{
"@id": "d3f:InboundTrafficFiltering"
},
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "d3f:OutboundTrafficFiltering"
},
{
"@id": "d3f:URLAnalysis"
}
],
"rdfs:label": "Restrict Web-Based Content"
},
{
"@id": "d3f:OTReadTimeCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Read timing mechanisms.",
"rdfs:label": "OT Read Time Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTTimeCommandEvent"
},
{
"@id": "_:N3658f42d488a48078939f77255a26d35"
}
]
},
{
"@id": "_:N3658f42d488a48078939f77255a26d35",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTReadTimeCommand"
}
},
{
"@id": "d3f:T1137.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:adds": {
"@id": "d3f:Software"
},
"d3f:attack-id": "T1137.006",
"d3f:definition": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)",
"d3f:may-modify": {
"@id": "d3f:SystemConfigurationDatabase"
},
"d3f:modifies": {
"@id": "d3f:OfficeApplication"
},
"rdfs:label": "Add-ins",
"rdfs:subClassOf": [
{
"@id": "d3f:T1137"
},
{
"@id": "_:N3678822a2ab945a191315919d31b89bc"
},
{
"@id": "_:N93bd0bafe326438589c392bda2387deb"
},
{
"@id": "_:N692e225ad5084c2d8d771ce711777f6c"
}
]
},
{
"@id": "_:N3678822a2ab945a191315919d31b89bc",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:adds"
},
"owl:someValuesFrom": {
"@id": "d3f:Software"
}
},
{
"@id": "_:N93bd0bafe326438589c392bda2387deb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-modify"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabase"
}
},
{
"@id": "_:N692e225ad5084c2d8d771ce711777f6c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OfficeApplication"
}
},
{
"@id": "d3f:ServiceBinaryVerification",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ServiceBinaryVerification"
],
"d3f:d3fend-id": "D3-SBV",
"d3f:definition": "Analyzing changes in service binary files by comparing to a source of truth.",
"d3f:kb-article": "## How it works\nSystem service applications may originate from the operating system installation or third-party applications installed with administrative privileges. These services have an entry point of some executable file-- a binary or a script. Attackers sometimes modify these executables to launch their own code. Analyzing changes in these files may uncover unauthorized activity.\n\n## Considerations\n* These files change for legitimate reasons when the system or software updates.\n* The source of truth must not be corrupted in order for this method to work.",
"d3f:kb-reference": {
"@id": "d3f:Reference-ServiceBinaryModifications_MITRE"
},
"d3f:verifies": {
"@id": "d3f:ServiceApplication"
},
"rdfs:label": "Service Binary Verification",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemFileAnalysis"
},
{
"@id": "_:Nf36282025a544d42a3b7cf798e1d7d7b"
}
]
},
{
"@id": "_:Nf36282025a544d42a3b7cf798e1d7d7b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:verifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:CWE-1192",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1192",
"d3f:definition": "The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.",
"rdfs:label": [
"Improper Identifier for IP Block used in System-On-Chip (SOC)",
"System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers"
],
"rdfs:subClassOf": {
"@id": "d3f:CWE-657"
}
},
{
"@id": "d3f:EventLogDisableEvent",
"@type": "owl:Class",
"d3f:definition": "An event indicating that the event logging service has been disabled, preventing it from collecting or recording logs.",
"rdfs:label": "Event Log Disable Event",
"rdfs:subClassOf": [
{
"@id": "d3f:EventLogEvent"
},
{
"@id": "_:N82dfafa67c6c4dd195759e910e33394a"
}
]
},
{
"@id": "_:N82dfafa67c6c4dd195759e910e33394a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:EventLogEnableEvent"
}
},
{
"@id": "d3f:UserToUserMessage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Personal message, private message (PM), direct message (DM), or personal chat (PC) is a private form of messaging between different members on a given platform. It is only seen and accessible by the users participating in the message.",
"d3f:has-recipient": {
"@id": "d3f:UserAccount"
},
"d3f:has-sender": {
"@id": "d3f:UserAccount"
},
"d3f:may-contain": {
"@id": "d3f:Email"
},
"rdfs:isDefinedBy": {
"@id": "dbr:Personal_message"
},
"rdfs:label": "User to User Message",
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalMessage"
},
{
"@id": "_:N0ea5a864096d4020b19f8285bbf6a4eb"
},
{
"@id": "_:Nad5c974cbe664c90a9b9fdac61e6e049"
},
{
"@id": "_:N936b1e203ba84d59bb5973ad49c1e3df"
}
],
"skos:altLabel": [
"Personal Message",
"Private Message"
]
},
{
"@id": "_:N0ea5a864096d4020b19f8285bbf6a4eb",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-recipient"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "_:Nad5c974cbe664c90a9b9fdac61e6e049",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-sender"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "_:N936b1e203ba84d59bb5973ad49c1e3df",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-contain"
},
"owl:someValuesFrom": {
"@id": "d3f:Email"
}
},
{
"@id": "d3f:OSAPIFreeMemory",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "An OS API function that releases or deallocates memory that was previously allocated by the program.",
"d3f:invokes": {
"@id": "d3f:FreeMemory"
},
"rdfs:label": "OS API Free Memory",
"rdfs:subClassOf": [
{
"@id": "d3f:OSAPISystemFunction"
},
{
"@id": "_:N5d508b2bb82f4e5188c1ed183724d8e8"
}
]
},
{
"@id": "_:N5d508b2bb82f4e5188c1ed183724d8e8",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:invokes"
},
"owl:someValuesFrom": {
"@id": "d3f:FreeMemory"
}
},
{
"@id": "d3f:GetSystemConfigValue",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:reads": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
},
"rdfs:label": "Get System Config Value",
"rdfs:seeAlso": {
"@id": "https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa"
},
"rdfs:subClassOf": [
{
"@id": "d3f:SystemConfigSystemCall"
},
{
"@id": "_:N556baa9d2d5248948bc1aa78c7d84643"
}
]
},
{
"@id": "_:N556baa9d2d5248948bc1aa78c7d84643",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:reads"
},
"owl:someValuesFrom": {
"@id": "d3f:SystemConfigurationDatabaseRecord"
}
},
{
"@id": "d3f:VersionControlTool",
"@type": "owl:Class",
"d3f:definition": "Version control tools are tools that used to conduct version control. A component of software configuration management, version control, also known as revision control, source control, or source code management systems are systems responsible for the management of changes to documents, computer programs, large web sites, and other collections of information. Changes are usually identified by a number or letter code, termed the \"revision number\", \"revision level\", or simply \"revision\". For example, an initial set of files is \"revision 1\". When the first change is made, the resulting set is \"revision 2\", and so on. Each revision is associated with a timestamp and the person making the change. Revisions can be compared, restored, and with some types of files, merged.",
"rdfs:isDefinedBy": {
"@id": "dbr:Version_control"
},
"rdfs:label": "Version Control Tool",
"rdfs:seeAlso": {
"@id": "dbr:Software_configuration_management"
},
"rdfs:subClassOf": {
"@id": "d3f:DeveloperApplication"
},
"skos:altLabel": [
"Revision Control",
"Source Control"
]
},
{
"@id": "d3f:CWE-424",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-424",
"d3f:definition": "The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.",
"rdfs:label": "Improper Protection of Alternate Path",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-638"
},
{
"@id": "d3f:CWE-693"
}
]
},
{
"@id": "d3f:LinuxTime",
"@type": "owl:Class",
"d3f:definition": "Get time in seconds.",
"rdfs:isDefinedBy": {
"@id": "https://man7.org/linux/man-pages/man2/time.2.html"
},
"rdfs:label": "Linux Time",
"rdfs:subClassOf": {
"@id": "d3f:OSAPIGetSystemTime"
}
},
{
"@id": "d3f:CWE-642",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-642",
"d3f:definition": "The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.",
"rdfs:label": "External Control of Critical State Data",
"rdfs:subClassOf": {
"@id": "d3f:CWE-668"
}
},
{
"@id": "d3f:CWE-653",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-653",
"d3f:definition": "The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.",
"d3f:synonym": "Separation of Privilege",
"rdfs:label": "Improper Isolation or Compartmentalization",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-657"
},
{
"@id": "d3f:CWE-693"
}
]
},
{
"@id": "d3f:records",
"@type": "owl:ObjectProperty",
"d3f:definition": "x records y: The digital artifact x makes a record of events y; set down in permanent form.",
"rdfs:isDefinedBy": {
"@id": "http://wordnet-rdf.princeton.edu/id/01002259-v"
},
"rdfs:label": "records",
"rdfs:seeAlso": {
"@id": "http://wordnet-rdf.princeton.edu/id/01003181-v"
},
"rdfs:subPropertyOf": {
"@id": "d3f:associated-with"
}
},
{
"@id": "d3f:KernelModuleUnloadEvent",
"@type": "owl:Class",
"d3f:definition": "An event representing the removal of a kernel module from the operating system kernel, deallocating resources and potentially altering system functionality.",
"rdfs:label": "Kernel Module Unload Event",
"rdfs:subClassOf": [
{
"@id": "d3f:KernelModuleEvent"
},
{
"@id": "_:N7ba01f1076ff41f988043e311325551b"
},
{
"@id": "_:N903396e810344dbf9a004adb32aca9cf"
}
]
},
{
"@id": "_:N7ba01f1076ff41f988043e311325551b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:KernelModuleLoadEvent"
}
},
{
"@id": "_:N903396e810344dbf9a004adb32aca9cf",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:precedes"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryDeletionEvent"
}
},
{
"@id": "d3f:CWE-316",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-316",
"d3f:definition": "The product stores sensitive information in cleartext in memory.",
"rdfs:label": "Cleartext Storage of Sensitive Information in Memory",
"rdfs:subClassOf": {
"@id": "d3f:CWE-312"
}
},
{
"@id": "d3f:T1490",
"@type": "owl:Class",
"d3f:attack-id": "T1490",
"d3f:definition": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.",
"rdfs:label": "Inhibit System Recovery",
"rdfs:subClassOf": {
"@id": "d3f:ImpactTechnique"
}
},
{
"@id": "d3f:WebSocketURL",
"@type": [
"owl:NamedIndividual",
"d3f:URL"
],
"rdfs:label": "Web Socket URL"
},
{
"@id": "d3f:CWE-213",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-213",
"d3f:definition": "The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.",
"rdfs:label": "Exposure of Sensitive Information Due to Incompatible Policies",
"rdfs:subClassOf": {
"@id": "d3f:CWE-200"
}
},
{
"@id": "d3f:Semi-supervisedManifoldLearning",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SSML",
"d3f:definition": "A version of Semi-Supervised Learning that applies the Manifold assumption that the data like approximately on a manifold of much lower dimension than the input space.",
"d3f:kb-article": "## References\nWeak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).",
"rdfs:label": "Semi-supervised Manifold Learning",
"rdfs:subClassOf": {
"@id": "d3f:IntrinsicallySemi-supervisedLearning"
}
},
{
"@id": "d3f:UserStartupScriptFile",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A user startup script file is a shortcut file that is executed when a user logs in and starts a session on the host. These indicate applications the user wants started at login. For Windows, these are typically found in the user's startup directory.",
"rdfs:label": "User Startup Script File",
"rdfs:subClassOf": [
{
"@id": "d3f:ExecutableScript"
},
{
"@id": "d3f:UserLogonInitResource"
}
]
},
{
"@id": "d3f:Reference-SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US10162962B1"
},
"d3f:kb-abstract": "The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed.",
"d3f:kb-author": "Adam Glick; Brian Schlatter; Feng Li; Akshata Krishnamoorthy Rao",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "Symantec Corp",
"d3f:kb-reference-of": {
"@id": "d3f:CredentialCompromiseScopeAnalysis"
},
"d3f:kb-reference-title": "Systems and methods for detecting credential theft",
"rdfs:label": "Reference - Systems and methods for detecting credential theft - Symantec Corp"
},
{
"@id": "d3f:CWE-25",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-25",
"d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/../\" sequences that can resolve to a location that is outside of that directory.",
"rdfs:label": "Path Traversal: '/../filedir'",
"rdfs:subClassOf": {
"@id": "d3f:CWE-23"
}
},
{
"@id": "d3f:RPCTrafficAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:RPCTrafficAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:RPCNetworkTraffic"
},
"d3f:d3fend-id": "D3-RTA",
"d3f:definition": "Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.",
"d3f:kb-article": "## How it works\nA remote procedure call (RPC) enables one computer to execute a specific function on another computer, as if it were a local application process. There are numerous RPC specifications and implementations. RPC capabilities can be abused by attackers in order to achieve a variety of tactical objectives including execution, persistence, initial access, and more. RPC proxies may be used to collect and store RPC traffic. RPCs can occur over network sockets or named pipes.\n\nAnalytics look for unauthorized behavior such as:\n\n* Processes being launched or scheduled remotely\n* System configurations being changed remotely\n* Unauthorized file read activity\n\nExample RPC Protocols:\n\n* DCE/RPC\n* CORBA\n* Open Network Computing Remote Procedure Call\n* D-Bus\n* XML-RPC\n* JSON-RPC\n* SOAP\n* Apache Thrift\n\n## Considerations\n* RPC is widely used in enterprise environments, and significant data filtering may be required in large environments to enable analytic processing.\n* RPC traffic may occur over a pipe, or within a host over loopback interface, thus making network collection difficult.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE"
},
{
"@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other"
},
{
"@id": "d3f:Reference-RPCCallInterception_CrowdstrikeInc"
},
{
"@id": "d3f:Reference-RemotelyLaunchedExecutablesViaServices_MITRE"
},
{
"@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE"
},
{
"@id": "d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE"
},
{
"@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE"
},
{
"@id": "d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE"
}
],
"d3f:synonym": "RPC Protocol Analysis",
"rdfs:label": "RPC Traffic Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "_:N04b056a3a0f840a591eb9f8e2cccac8d"
}
]
},
{
"@id": "_:N04b056a3a0f840a591eb9f8e2cccac8d",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:RPCNetworkTraffic"
}
},
{
"@id": "d3f:may-evict",
"@type": "owl:ObjectProperty",
"d3f:pref-label": "may evict",
"rdfs:label": "may-evict",
"rdfs:subPropertyOf": [
{
"@id": "d3f:may-counter"
},
{
"@id": "d3f:may-counter-attack"
}
]
},
{
"@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2019-07-002/"
},
"d3f:kb-abstract": "ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.\n\nProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.",
"d3f:kb-author": "MITRE",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2019-07-002: Lsass Process Dump via Procdump",
"rdfs:label": "Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE"
},
{
"@id": "d3f:T1163",
"@type": "owl:Class",
"d3f:attack-id": "T1163",
"d3f:definition": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1037.004",
"rdfs:label": "Rc.common",
"rdfs:seeAlso": "T1037.004",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:Reference-ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20140075556A1"
},
"d3f:kb-abstract": "This disclosure describes, in part, techniques for detecting security exploits associated with return-oriented programming. The techniques include determining that a retrieved count is indicative of malicious activity, such as return oriented programming. The count may be retrieved from a processor performance counter of prediction mismatches, the prediction mismatches resulting from comparisons of a call stack of a computing device and of a shadow call stack maintained by a processor of the computing device. The techniques further include performing at least one security response action in response to determining that the count indicates malicious activity.",
"d3f:kb-author": "Georg WICHERSKI",
"d3f:kb-mitre-analysis": "This patent describes a technique for detecting shellcode security exploits. A call stack of a computing device is compared with a shadow call stack maintained by a processor of the computing device since a return oriented program may only be able to control or spoof the call stack and not the shadow call stack. Mismatches between the two are counted and if the number of mismatches exceeds a certain threshold it is an indication of malicious activity and a security response action is performed.",
"d3f:kb-organization": "Crowdstrike Inc",
"d3f:kb-reference-of": {
"@id": "d3f:ShadowStackComparisons"
},
"d3f:kb-reference-title": "Threat detection for return oriented programming",
"rdfs:label": "Reference - Threat detection for return oriented programming - Crowdstrike Inc"
},
{
"@id": "d3f:DS0005",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers",
"rdfs:comment": "This data source captures events relating to WMI objects and therefore has no direct mappings to digital artifacts.",
"rdfs:label": "WMI (ATT&CK DS)"
},
{
"@id": "d3f:CCI-002464_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system provides data integrity protection artifacts for internal name/address resolution queries.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:DomainTrustPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002464"
},
{
"@id": "d3f:CWE-649",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-649",
"d3f:definition": "The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.",
"rdfs:label": "Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",
"rdfs:subClassOf": {
"@id": "d3f:CWE-345"
}
},
{
"@id": "d3f:OutboundInternetNetworkTraffic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Outbound internet network traffic is network traffic on an outgoing connection initiated from a host within a network to a host outside the network.",
"rdfs:label": "Outbound Internet Network Traffic",
"rdfs:seeAlso": {
"@id": "dbr:Internetworking"
},
"rdfs:subClassOf": [
{
"@id": "d3f:InternetNetworkTraffic"
},
{
"@id": "d3f:OutboundNetworkTraffic"
}
]
},
{
"@id": "d3f:FileEviction",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:FileEviction"
],
"d3f:d3fend-id": "D3-FEV",
"d3f:definition": "File eviction techniques delete files from system storage.",
"d3f:deletes": {
"@id": "d3f:File"
},
"d3f:kb-article": "## How it works\n\nAdversaries may place files or programs into a computer's file system to perform malicious actions. As part of the eviction process, these files and programs should be removed to prevent further compromise or reinfection. Examples of malicious types of files are malware which is directly harmful and content files with the intent to deceive users (e.g., phishing.)\n\nOn Windows systems, antivirus (AV) software should be used to safely and permanently remove malicious files. AV software may first quarantine a suspected malicious file, which is the process of moving a file from its original location to a new location and makes changes so that it cannot be executed. Users can then verify that the file is not benign and then permanently delete it.\n\n## Considerations\n\nWhen it is determined that a file should be removed for security purposes, the organization--or systems implementing an organization's policies--may determine that the file should not simply be deleted from the enterprise's mission systems, but be quarantined to a secure system by an approved mechanism, so as to allow follow-up investigation by security staff.\n\nOn Windows systems, deleting a file in File Explorer does not permanently delete a file - it sends it to the Recycle Bin instead. The Recycle Bin must be emptied, or alternative steps must be performed to remove files completely. Even then, in some cases the data may persist in disk, so data shredder tools may be needed to completely wipe a file. Thus, AV tools are recommended.",
"d3f:kb-reference": {
"@id": "d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives"
},
"rdfs:label": "File Eviction",
"rdfs:subClassOf": [
{
"@id": "d3f:ObjectEviction"
},
{
"@id": "_:Nbd78b62b9c584bbe92a75695b55ab9e0"
}
]
},
{
"@id": "_:Nbd78b62b9c584bbe92a75695b55ab9e0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:deletes"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:T1010",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1010",
"d3f:definition": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)",
"d3f:may-invoke": [
{
"@id": "d3f:CreateProcess"
},
{
"@id": "d3f:GetOpenWindows"
}
],
"rdfs:label": "Application Window Discovery",
"rdfs:subClassOf": [
{
"@id": "d3f:DiscoveryTechnique"
},
{
"@id": "_:N0a55bb53cf9b4297aecde5a0808435a4"
},
{
"@id": "_:Nd60ff10c7bab4bb688f4e7ed97014bf0"
}
]
},
{
"@id": "_:N0a55bb53cf9b4297aecde5a0808435a4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:CreateProcess"
}
},
{
"@id": "_:Nd60ff10c7bab4bb688f4e7ed97014bf0",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-invoke"
},
"owl:someValuesFrom": {
"@id": "d3f:GetOpenWindows"
}
},
{
"@id": "d3f:ContentFormatConversion",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ContentFormatConversion"
],
"d3f:d3fend-id": "D3-CFC",
"d3f:definition": "Content format conversion is mechanical transformation from one format to another which may be normalization or specifically flattening.",
"d3f:kb-article": "## How it works\n\nThis technique may enhance security by transforming files into safer or normalized formats.",
"d3f:kb-reference": {
"@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
},
"rdfs:label": "Content Format Conversion",
"rdfs:subClassOf": {
"@id": "d3f:ContentModification"
}
},
{
"@id": "d3f:HTTPPutEvent",
"@type": "owl:Class",
"d3f:definition": "An event where the HTTP PUT method is used to replace all current representations of the target resource with the request payload.",
"rdfs:label": "HTTP PUT Event",
"rdfs:subClassOf": {
"@id": "d3f:HTTPRequestEvent"
}
},
{
"@id": "d3f:TFTPServer",
"@type": "owl:Class",
"d3f:definition": "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. It is used where user authentication and directory visibility are not required.",
"rdfs:isDefinedBy": {
"@id": "dbr:Trivial_File_Transfer_Protocol"
},
"rdfs:label": "TFTP Server",
"rdfs:subClassOf": {
"@id": "d3f:Server"
}
},
{
"@id": "d3f:PhysicalLinkEvent",
"@type": "owl:Class",
"d3f:definition": "A discrete event that changes either the presence of the transmission medium or the operational state of a single-hop layer-1 link between two network nodes.",
"rdfs:label": "Physical Link Event",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkDeviceEvent"
},
{
"@id": "_:N4fab4b64699d45c69b714ce6c8914910"
}
]
},
{
"@id": "_:N4fab4b64699d45c69b714ce6c8914910",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:PhysicalLink"
}
},
{
"@id": "d3f:T1584.005",
"@type": "owl:Class",
"d3f:attack-id": "T1584.005",
"d3f:definition": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
"rdfs:label": "Botnet",
"rdfs:subClassOf": {
"@id": "d3f:T1584"
}
},
{
"@id": "d3f:BayesianLinearRegression",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-BLR",
"d3f:definition": "Bayesian linear regression is a type of conditional modeling in which the mean of one variable is described by a linear combination of other variables, with the goal of obtaining the posterior probability of the regression coefficients.",
"d3f:kb-article": "## References\nWikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)",
"rdfs:label": "Bayesian Linear Regression",
"rdfs:subClassOf": {
"@id": "d3f:RegressionAnalysis"
}
},
{
"@id": "d3f:PredicateLogic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-PL",
"d3f:definition": "Predicate logic is is collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic and Higher-order logic both incorporate predicate logic.",
"d3f:kb-article": "## References\n1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic)\n2. Higher-order logic. (2023, May 13)\n[Link](https://en.wikipedia.org/wiki/Higher-order_logic)",
"rdfs:label": "Predicate Logic",
"rdfs:subClassOf": {
"@id": "d3f:SymbolicAI"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SI-3",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:broader": [
{
"@id": "d3f:FileAnalysis"
},
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "d3f:PlatformMonitoring"
},
{
"@id": "d3f:ProcessAnalysis"
}
],
"d3f:control-name": "Malicious Code Protection",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"rdfs:label": "SI-3"
},
{
"@id": "d3f:AllocateMemory",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:creates": {
"@id": "d3f:MemoryBlock"
},
"rdfs:label": "Allocate Memory",
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:N2c1695f4b2f3402ea9e3e2462b194cc2"
}
]
},
{
"@id": "_:N2c1695f4b2f3402ea9e3e2462b194cc2",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:MemoryBlock"
}
},
{
"@id": "d3f:T1071.002",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1071.002",
"d3f:definition": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
"d3f:produces": {
"@id": "d3f:OutboundInternetFileTransferTraffic"
},
"rdfs:label": "File Transfer Protocols",
"rdfs:subClassOf": [
{
"@id": "d3f:T1071"
},
{
"@id": "_:Nabd4a64bf7804db385b603bfb44cd1e3"
}
]
},
{
"@id": "_:Nabd4a64bf7804db385b603bfb44cd1e3",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:OutboundInternetFileTransferTraffic"
}
},
{
"@id": "d3f:CWE-413",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-413",
"d3f:definition": "The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.",
"rdfs:label": "Improper Resource Locking",
"rdfs:subClassOf": {
"@id": "d3f:CWE-667"
}
},
{
"@id": "d3f:CCI-002425_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:EncryptedTunnels"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-02T00:00:00"
},
"rdfs:label": "CCI-002425"
},
{
"@id": "d3f:HumanInputDeviceFirmware",
"@type": "owl:Class",
"d3f:definition": "Firmware that is installed on an HCI device such as a mouse or keyboard.",
"rdfs:label": "Human Input Device Firmware",
"rdfs:seeAlso": [
{
"@id": "d3f:Firmware"
},
{
"@id": "dbr:Human_interface_device"
}
],
"rdfs:subClassOf": {
"@id": "d3f:PeripheralFirmware"
}
},
{
"@id": "d3f:CredentialRevocation",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:CredentialRevocation"
],
"d3f:d3fend-id": "D3-CR",
"d3f:definition": "Deleting a set of credentials permanently to prevent them from being used to authenticate.",
"d3f:deletes": {
"@id": "d3f:Credential"
},
"d3f:kb-article": "## How it works\n\nManagement servers with enterprise policies for account management provide the ability remove permissions, accounts, or credentials. Compromised credentials should be revoked to prevent further malicious activity.",
"d3f:kb-reference": {
"@id": "d3f:Reference-RevokingaPreviouslyIssuedVerifiableCredential-Microsoft"
},
"rdfs:label": "Credential Revocation",
"rdfs:subClassOf": [
{
"@id": "d3f:CredentialEviction"
},
{
"@id": "_:Nf3348fb3418846ab98e1fdb4a0b6f688"
}
]
},
{
"@id": "_:Nf3348fb3418846ab98e1fdb4a0b6f688",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:deletes"
},
"owl:someValuesFrom": {
"@id": "d3f:Credential"
}
},
{
"@id": "d3f:has-audience",
"@type": "owl:ObjectProperty",
"rdfs:label": "has-audience",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-use-case-object-property"
}
},
{
"@id": "d3f:CCI-001399_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:UserAccountPermissions"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in storage.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-22T00:00:00"
},
"rdfs:label": "CCI-001399"
},
{
"@id": "d3f:CWE-84",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-84",
"d3f:definition": "The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.",
"rdfs:label": "Improper Neutralization of Encoded URI Schemes in a Web Page",
"rdfs:subClassOf": {
"@id": "d3f:CWE-79"
}
},
{
"@id": "d3f:OTDeviceManagementMessageEvent",
"@type": "owl:Class",
"d3f:definition": "Manage devices and their configurations.",
"rdfs:label": "OT Device Management Message Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTEvent"
},
{
"@id": "_:N75234db6b55d406a8219ab890cc32e9f"
}
]
},
{
"@id": "_:N75234db6b55d406a8219ab890cc32e9f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTDeviceManagementMessage"
}
},
{
"@id": "d3f:CWE-1193",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1193",
"d3f:definition": "The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.",
"rdfs:label": "Power-On of Untrusted Execution Core Before Enabling Fabric Access Control",
"rdfs:subClassOf": {
"@id": "d3f:CWE-696"
}
},
{
"@id": "d3f:Model-basedPolicyOptimization",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-MBPO",
"d3f:definition": "Model-based policy optimization (MBPO) is a model-based, online, off-policy reinforcement learning algorithm. For more information on the different types of reinforcement learning agents",
"d3f:kb-article": "## References\nMBPO Agents. MathWorks. [Link](https://www.mathworks.com/help/reinforcement-learning/ug/mbpo-agents.html).",
"rdfs:label": "Model-based Policy Optimization",
"rdfs:subClassOf": {
"@id": "d3f:Model-basedReinforcementLearning"
}
},
{
"@id": "d3f:T1546.013",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1546.013",
"d3f:definition": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.",
"d3f:modifies": {
"@id": "d3f:PowerShellProfileScript"
},
"rdfs:label": "PowerShell Profile",
"rdfs:subClassOf": [
{
"@id": "d3f:T1546"
},
{
"@id": "_:N41812bc7879947f0ae0aa796dd60fc29"
}
]
},
{
"@id": "_:N41812bc7879947f0ae0aa796dd60fc29",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:PowerShellProfileScript"
}
},
{
"@id": "d3f:T1528",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:accesses": {
"@id": "d3f:AccessToken"
},
"d3f:attack-id": "T1528",
"d3f:definition": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.",
"rdfs:label": "Steal Application Access Token",
"rdfs:subClassOf": [
{
"@id": "d3f:CredentialAccessTechnique"
},
{
"@id": "_:Naaeeac518c0248ff82371bc6e65f73bd"
}
]
},
{
"@id": "_:Naaeeac518c0248ff82371bc6e65f73bd",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:accesses"
},
"owl:someValuesFrom": {
"@id": "d3f:AccessToken"
}
},
{
"@id": "d3f:T1598.002",
"@type": "owl:Class",
"d3f:attack-id": "T1598.002",
"d3f:definition": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
"rdfs:label": "Spearphishing Attachment",
"rdfs:subClassOf": {
"@id": "d3f:T1598"
}
},
{
"@id": "d3f:HTTPResponseEvent",
"@type": "owl:Class",
"d3f:definition": "An event where an HTTP response is sent from a server to a client over an established TCP connection.",
"rdfs:label": "HTTP Response Event",
"rdfs:subClassOf": [
{
"@id": "d3f:HTTPEvent"
},
{
"@id": "_:N915f4a240a87417ba652fe0f9ab8ce20"
}
]
},
{
"@id": "_:N915f4a240a87417ba652fe0f9ab8ce20",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:HTTPRequestEvent"
}
},
{
"@id": "d3f:CCI-000186_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:CredentialHardening"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-15T00:00:00"
},
"rdfs:label": "CCI-000186"
},
{
"@id": "d3f:CCI-002684_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:NetworkTrafficAnalysis"
},
{
"@id": "d3f:PlatformMonitoring"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2013-07-11T00:00:00"
},
"rdfs:label": "CCI-002684"
},
{
"@id": "d3f:text",
"@type": "owl:DatatypeProperty",
"d3f:definition": "The text of the document (i.e., terms of license.)",
"rdfs:label": {
"@language": "en",
"@value": "text"
},
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-catalog-data-property"
}
},
{
"@id": "d3f:Reference-HeuristicBotnetDetection_PaloAltoNetworksInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20160156644A1"
},
"d3f:kb-abstract": "In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.",
"d3f:kb-author": "Xinran Wang; Huagang Xie",
"d3f:kb-mitre-analysis": "This patent describes detecting botnets using heuristic analysis techniques on collected network flows. The heuristic techniques include:\n\n* Identifying suspicious traffic patterns to detect command and control traffic ex. periodically visiting a known malware URL, a host visiting a malware domain twice every 5 hour and 14 minutes (this is a specific pattern for a variant of Swizzor botnets).\n* Identifying non-standard behaviors such as connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, communicating using HTTP header with a shorter than common length\n* Analyzing visited domain information to identify the following: visiting a domain with a domain name that is longer than a common domain name length, visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.\n\nA score is determined based on these factors and if the score is over a threshold, a responsive action is performed.",
"d3f:kb-organization": "Palo Alto Networks Inc",
"d3f:kb-reference-of": {
"@id": "d3f:DNSTrafficAnalysis"
},
"d3f:kb-reference-title": "Heuristic botnet detection",
"rdfs:label": "Reference - Heuristic botnet detection - Palo Alto Networks Inc"
},
{
"@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics",
"@type": [
"owl:NamedIndividual",
"d3f:AcademicPaperReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://pure.uva.nl/ws/files/1739225/132135_thesis.pdf"
},
"d3f:kb-author": "van den Bos, J.",
"d3f:kb-reference-of": [
{
"@id": "d3f:FileContentDecompressionChecking"
},
{
"@id": "d3f:FileInternalStructureVerification"
},
{
"@id": "d3f:FileMagicByteVerification"
},
{
"@id": "d3f:FileMetadataConsistencyValidation"
}
],
"d3f:kb-reference-title": "Gathering Evidence: Model-Driven Software Engineering in Automated Digital Forensics",
"rdfs:label": "Reference - Gathering Evidence: Model-Driven Software Engineering in Automated Digital Forensics"
},
{
"@id": "d3f:T1195.003",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1195.003",
"d3f:definition": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.",
"d3f:modifies": {
"@id": "d3f:HardwareDevice"
},
"rdfs:label": "Compromise Hardware Supply Chain",
"rdfs:subClassOf": [
{
"@id": "d3f:T1195"
},
{
"@id": "_:Nc9e6cb026eaa4c7ca85ff9b634ee7f19"
}
]
},
{
"@id": "_:Nc9e6cb026eaa4c7ca85ff9b634ee7f19",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:HardwareDevice"
}
},
{
"@id": "d3f:T1546",
"@type": "owl:Class",
"d3f:attack-id": "T1546",
"d3f:definition": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)",
"rdfs:label": "Event Triggered Execution",
"rdfs:subClassOf": [
{
"@id": "d3f:PersistenceTechnique"
},
{
"@id": "d3f:PrivilegeEscalationTechnique"
}
]
},
{
"@id": "d3f:CWE-1394",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1394",
"d3f:definition": "The product uses a default cryptographic key for potentially critical functionality.",
"rdfs:label": "Use of Default Cryptographic Key",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1392"
}
},
{
"@id": "d3f:HardDiskFirmware",
"@type": "owl:Class",
"d3f:definition": "Firmware that is installed on a hard disk device.",
"rdfs:label": "Hard Disk Firmware",
"rdfs:seeAlso": {
"@id": "dbr:Hard_disk_drive"
},
"rdfs:subClassOf": {
"@id": "d3f:PeripheralFirmware"
},
"skos:altLabel": "Hard Drive Firmware"
},
{
"@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20160191560A1"
},
"d3f:kb-abstract": "A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.",
"d3f:kb-author": "David Lopes Pegna; Himanshu Mhatre; Oliver Brdiczka",
"d3f:kb-mitre-analysis": "This patent describes techniques for detecting insider attacks. Network packet capture data is collected and stored for processing. Metadata is extracted for each communication session on the organization's network and includes information on source and destination host destination port, number of connection attempts, size of data exchanged, duration and time of the communication. The metadata is used to build a connectivity graph of the network and identify groups of similar hosts that exhibit similar behavior. For each group of similar behavior identified, a baseline behavior pattern profile is developed. Network activity for a host within a group that deviates over a threshold from the baseline behavior patterns is identified as suspicious and an alert is generated.",
"d3f:kb-organization": "VECTRA NETWORKS Inc",
"d3f:kb-reference-of": [
{
"@id": "d3f:NetworkTrafficCommunityDeviation"
},
{
"@id": "d3f:ProtocolMetadataAnomalyDetection"
}
],
"d3f:kb-reference-title": "System for implementing threat detection using daily network traffic community outliers",
"rdfs:label": "Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc"
},
{
"@id": "d3f:T1553.004",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1553.004",
"d3f:definition": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.",
"d3f:modifies": {
"@id": "d3f:CertificateTrustStore"
},
"rdfs:label": "Install Root Certificate",
"rdfs:subClassOf": [
{
"@id": "d3f:T1553"
},
{
"@id": "_:Nc01bb526008c4ef1a1a59cd360e8bb06"
}
]
},
{
"@id": "_:Nc01bb526008c4ef1a1a59cd360e8bb06",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:CertificateTrustStore"
}
},
{
"@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20190188384A1"
},
"d3f:kb-abstract": "Described herein are systems, techniques, and computer program products for preventing execution, by a scripting engine, of harmful commands that may be introduced by computer malware or other mechanisms. The system identifies certain host processes that may attempt to utilize a hosted scripting engine. An unmanaged interface module is injected into an identified host process. The unmanaged interface module is configured to detect certain conditions indicating the likelihood that a scripting engine will be instantiated, and in response to inject a managed interface module into the host process. The managed interface module hooks into certain methods of the scripting engine to intercept commands before they are executed by the scripting engine. The managed and unmanaged interface components then communicate with a kernel-mode threat detection component to determine whether any commands should be blocked.",
"d3f:kb-author": "Ion-Alexandru IONESCU; Satoshi Tanda",
"d3f:kb-mitre-analysis": "The patent describes techniques that can be implemented to detect and block malicious commands and command scripts from being executed by scripting engines.\n\n### Script Execution Monitoring explanation\nThis patent describes software installed on the host system that hooks into methods of a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. For example regular expression checking may be used to identify commands having malicious patterns. Expression checking may be used for script files as well as interactively - typed commands.\n\n### File Content Signatures explanation\nThis patent includes File Content Signatures because in the case of a script file, a hash of the file is compared against hashes of known malicious script files to determine whether the script file is malicious.",
"d3f:kb-organization": "Crowdstrike Inc",
"d3f:kb-reference-of": [
{
"@id": "d3f:FileContentRules"
},
{
"@id": "d3f:ScriptExecutionAnalysis"
}
],
"d3f:kb-reference-title": "Detecting script-based malware",
"rdfs:label": "Reference - Detecting script-based malware - Crowdstrike Inc"
},
{
"@id": "d3f:CCI-001556_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system uniquely authenticates destination domains for information transfer.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:DomainTrustPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2010-05-11T00:00:00"
},
"rdfs:label": "CCI-001556"
},
{
"@id": "d3f:CWE-1419",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1419",
"d3f:definition": "The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.",
"rdfs:label": "Incorrect Initialization of Resource",
"rdfs:subClassOf": {
"@id": "d3f:CWE-665"
}
},
{
"@id": "d3f:UserDataTransferAnalysis",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:UserDataTransferAnalysis"
],
"d3f:analyzes": {
"@id": "d3f:ResourceAccess"
},
"d3f:d3fend-id": "D3-UDTA",
"d3f:definition": "Analyzing the amount of data transferred by a user.",
"d3f:kb-article": "## How it works\nUnusual data transfer activity may indicate unauthorized activity. Data transfers can be analyzed by collecting network traffic or application logs.\n\n## Considerations\n* There is a potential for false positives from anomalies that are not associated with unauthorized activity.\n* Attackers that move low and slow may not differentiate their data transfer behavior enough for an alert to trigger.",
"d3f:kb-reference": [
{
"@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc"
},
{
"@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc"
}
],
"rdfs:label": "User Data Transfer Analysis",
"rdfs:subClassOf": [
{
"@id": "d3f:UserBehaviorAnalysis"
},
{
"@id": "_:Ne26bc19e74e74d16aff535887c312d0a"
}
]
},
{
"@id": "_:Ne26bc19e74e74d16aff535887c312d0a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:analyzes"
},
"owl:someValuesFrom": {
"@id": "d3f:ResourceAccess"
}
},
{
"@id": "d3f:BitmapImage",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A graphical image whose data is stored in a grid format.",
"rdfs:label": "Bitmap Image",
"rdfs:subClassOf": {
"@id": "d3f:DigitalImage"
}
},
{
"@id": "d3f:DS0034",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:definition": "Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives",
"rdfs:comment": "This data source currently has no mappings to digital artifacts.",
"rdfs:label": "Volume (ATT&CK DS)"
},
{
"@id": "d3f:ProcessTerminationEvent",
"@type": "owl:Class",
"d3f:definition": "An event marking the cessation of a process, including resource deallocation and cleanup, either due to normal completion or abnormal termination.",
"rdfs:label": "Process Termination Event",
"rdfs:subClassOf": [
{
"@id": "d3f:ProcessEvent"
},
{
"@id": "_:N6a6a92d2aa204157a2a05a44bc6e24e9"
}
]
},
{
"@id": "_:N6a6a92d2aa204157a2a05a44bc6e24e9",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:ProcessCreationEvent"
}
},
{
"@id": "d3f:T1564.006",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1564.006",
"d3f:creates": {
"@id": "d3f:File"
},
"d3f:definition": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)",
"d3f:executes": {
"@id": "d3f:VirtualizationSoftware"
},
"d3f:may-add": {
"@id": "d3f:VirtualizationSoftware"
},
"d3f:may-create": {
"@id": "d3f:Directory"
},
"rdfs:label": "Run Virtual Instance",
"rdfs:subClassOf": [
{
"@id": "d3f:T1564"
},
{
"@id": "_:Nfddaaa15a5904a96aaff87a2e61f7d8c"
},
{
"@id": "_:Ne13e835f49a74341aaf5be590ec129a7"
},
{
"@id": "_:N7c246463e26c488c9d632e42c2d890c5"
},
{
"@id": "_:N712e1b4eecd045368d415c726d1486a7"
}
]
},
{
"@id": "_:Nfddaaa15a5904a96aaff87a2e61f7d8c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:creates"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "_:Ne13e835f49a74341aaf5be590ec129a7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:executes"
},
"owl:someValuesFrom": {
"@id": "d3f:VirtualizationSoftware"
}
},
{
"@id": "_:N7c246463e26c488c9d632e42c2d890c5",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-add"
},
"owl:someValuesFrom": {
"@id": "d3f:VirtualizationSoftware"
}
},
{
"@id": "_:N712e1b4eecd045368d415c726d1486a7",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:may-create"
},
"owl:someValuesFrom": {
"@id": "d3f:Directory"
}
},
{
"@id": "d3f:Reference-EvictionGuidanceforNetworksAffectedbytheSolarWindsandActiveDirectory/M365Compromise-CISA",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.cisa.gov/news-events/analysis-reports/ar21-134a"
},
"d3f:kb-organization": "CISA",
"d3f:kb-reference-of": [
{
"@id": "d3f:CredentialRotation"
},
{
"@id": "d3f:DNSCacheEviction"
}
],
"d3f:kb-reference-title": "Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise",
"rdfs:label": "Reference - Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise - CISA"
},
{
"@id": "d3f:T1148",
"@type": "owl:Class",
"d3f:attack-id": "T1148",
"d3f:definition": "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1562.003",
"rdfs:label": "HISTCONTROL",
"rdfs:seeAlso": "T1562.003",
"rdfs:subClassOf": {
"@id": "d3f:DefenseEvasionTechnique"
}
},
{
"@id": "d3f:CWE-1059",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1059",
"d3f:definition": "The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.",
"rdfs:label": "Insufficient Technical Documentation",
"rdfs:subClassOf": {
"@id": "d3f:CWE-710"
}
},
{
"@id": "d3f:M1054",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseMitigation"
],
"d3f:related": [
{
"@id": "d3f:ApplicationConfigurationHardening"
},
{
"@id": "d3f:CertificatePinning"
}
],
"rdfs:label": "Software Configuration"
},
{
"@id": "d3f:ConfigurationDatabaseRecord",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A Configuration Database Record defines settings, parameters, or preferences for applications, systems, or devices.",
"d3f:synonym": "Configuration Record",
"rdfs:label": "Configuration Database Record",
"rdfs:subClassOf": [
{
"@id": "d3f:ConfigurationResource"
},
{
"@id": "d3f:DatabaseRecord"
}
]
},
{
"@id": "d3f:T1048",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1048",
"d3f:definition": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
"d3f:produces": {
"@id": "d3f:InternetNetworkTraffic"
},
"rdfs:label": "Exfiltration Over Alternative Protocol",
"rdfs:subClassOf": [
{
"@id": "d3f:ExfiltrationTechnique"
},
{
"@id": "_:Nc158ac19f8734b0cb72977d5cc8cbf53"
}
]
},
{
"@id": "_:Nc158ac19f8734b0cb72977d5cc8cbf53",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:produces"
},
"owl:someValuesFrom": {
"@id": "d3f:InternetNetworkTraffic"
}
},
{
"@id": "d3f:InboundInternetMailTraffic",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Inbound internet mail traffic is network traffic that is: (a) coming from a host outside a given network via an incoming connection to a host inside that same network, and (b) using a standard protocol for email.",
"rdfs:label": "Inbound Internet Mail Traffic",
"rdfs:seeAlso": {
"@id": "dbr:Internetworking"
},
"rdfs:subClassOf": [
{
"@id": "d3f:InboundInternetNetworkTraffic"
},
{
"@id": "d3f:InboundNetworkTraffic"
},
{
"@id": "d3f:MailNetworkTraffic"
}
]
},
{
"@id": "d3f:MACAddress",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment.",
"d3f:identifies": {
"@id": "d3f:NetworkInterfaceCard"
},
"rdfs:isDefinedBy": {
"@id": "dbr:MAC_address"
},
"rdfs:label": "MAC Address",
"rdfs:subClassOf": [
{
"@id": "d3f:Identifier"
},
{
"@id": "_:N25db52a7b73940cab1084cc3e4aaf199"
}
]
},
{
"@id": "_:N25db52a7b73940cab1084cc3e4aaf199",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:identifies"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkInterfaceCard"
}
},
{
"@id": "d3f:macOSProcess",
"@type": [
"owl:NamedIndividual",
"d3f:Process"
],
"rdfs:label": "macOS Process"
},
{
"@id": "rdfs:isDefinedBy",
"@type": "owl:AnnotationProperty",
"rdfs:label": "isDefinedBy"
},
{
"@id": "d3f:NetworkAudioStreamingResource",
"@type": "owl:Class",
"d3f:definition": "A server that provides digital audio media content to users.",
"rdfs:label": "Network Audio Streaming Resource",
"rdfs:subClassOf": {
"@id": "d3f:NetworkMediaStreamingResource"
}
},
{
"@id": "d3f:CCI-001452_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:AccountLocking"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-05-25T00:00:00"
},
"rdfs:label": "CCI-001452"
},
{
"@id": "d3f:SpectralClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-SC",
"d3f:definition": "Spectral clustering is a technique that identifies communities of nodes in a graph based on the edges connecting them.",
"d3f:kb-article": "## References\nTowards Data Science. (n.d.). Spectral Clustering. [Link](https://towardsdatascience.com/spectral-clustering-aba2640c0d5b)",
"rdfs:label": "Spectral Clustering",
"rdfs:subClassOf": {
"@id": "d3f:Graph-basedClustering"
}
},
{
"@id": "d3f:Reference-ContainerImageAnalysis",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF"
},
"d3f:kb-abstract": "Container Images can contain unneeded, unsecured or insecure files.\n By analyzing the container image, we can identify whether it respects\n a specific set of predefined policies.",
"d3f:kb-author": "National Security Agency",
"d3f:kb-reference-of": {
"@id": "d3f:ContainerImageAnalysis"
},
"d3f:kb-reference-title": "Kubernetes Hardening Guide",
"rdfs:label": "Reference - Container Image Analysis"
},
{
"@id": "d3f:OTDeviceIdentificationMessage",
"@type": "owl:Class",
"d3f:definition": "Identify devices on the network.",
"rdfs:comment": [
"BACnet: i-Am\nBACnet: i-Have\nBACnet: who-Has\nBACnet: who-Is ",
"ENIP: List Identity",
"Modbus: Read Device Identification\nModbus: Report Slave ID"
],
"rdfs:label": "OT Device Identification Message",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": {
"@id": "d3f:OTDeviceManagementMessage"
}
},
{
"@id": "d3f:CWE-407",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-407",
"d3f:definition": "An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.",
"d3f:synonym": "Quadratic Complexity",
"rdfs:label": "Inefficient Algorithmic Complexity",
"rdfs:subClassOf": {
"@id": "d3f:CWE-405"
}
},
{
"@id": "d3f:KendallsRankCorrelationCoefficient",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-KRCC",
"d3f:definition": "Kendall's $\\\\tau$ between and is given by $(n_c - n_d) / \\\\sqrt((n_c+n_d+n_x)(n_c+n_d+n_y)$, where is the number of concordant pairs of observations, is the number of discordant pairs, is the number of ties involving only the variable, and is the number of ties involving only the variable.\" ;",
"d3f:kb-article": "## References\n1. Wolfram Research. (2012). KendallTau. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/KendallTau.html)\n1. Kendall's Tau. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Kendall_rank_correlation_coefficient]\"\"\",",
"d3f:synonym": "Kendall's Tau Coefficient",
"rdfs:isDefinedBy": {
"@id": "https://reference.wolfram.com/language/ref/KendallTau.html"
},
"rdfs:label": "Kendall's Rank Correlation Coefficient",
"rdfs:subClassOf": {
"@id": "d3f:RankCorrelationCoefficient"
}
},
{
"@id": "d3f:pref-label",
"@type": "owl:AnnotationProperty",
"d3f:definition": "x pref-label y: The preferred display value for x is y in d3fend tools.",
"rdfs:label": "pref-label",
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-annotation"
}
},
{
"@id": "d3f:OTAbortCommand",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Commands a device to abort a service/program.",
"d3f:modifies": {
"@id": "d3f:OperatingMode"
},
"rdfs:comment": [
"BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
"GE-SRTP: SET PLC (RUN VS STOP)"
],
"rdfs:label": "OT Abort Command",
"rdfs:seeAlso": [
{
"@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
},
{
"@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
},
{
"@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:OTModifyDeviceOperatingModeCommand"
},
{
"@id": "_:N3b8ebdb02fc14a70bbc67a139c6ef62a"
}
]
},
{
"@id": "_:N3b8ebdb02fc14a70bbc67a139c6ef62a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:OperatingMode"
}
},
{
"@id": "d3f:Page",
"@type": "owl:Class",
"d3f:definition": "A page, memory page, logical page, or virtual page is a fixed-length contiguous block of virtual memory, described by a single entry in the page table. It is the smallest unit of data for memory management in a virtual memory operating system.",
"rdfs:isDefinedBy": {
"@id": "https://dbpedia.org/page/Page_(computer_memory)"
},
"rdfs:label": "Page",
"rdfs:subClassOf": {
"@id": "d3f:MemoryBlock"
}
},
{
"@id": "d3f:CWE-244",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-244",
"d3f:definition": "Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.",
"rdfs:label": "Improper Clearing of Heap Memory Before Release ('Heap Inspection')",
"rdfs:subClassOf": {
"@id": "d3f:CWE-226"
}
},
{
"@id": "d3f:T1161",
"@type": "owl:Class",
"d3f:attack-id": "T1161",
"d3f:definition": "Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X).",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1546.006",
"rdfs:label": "LC_LOAD_DYLIB Addition",
"rdfs:seeAlso": "T1546.006",
"rdfs:subClassOf": {
"@id": "d3f:PersistenceTechnique"
}
},
{
"@id": "d3f:OTTimeCommandEvent",
"@type": "owl:Class",
"d3f:definition": "Read, set, or calculate timing mechanisms.",
"rdfs:label": "OT Time Command Event",
"rdfs:subClassOf": [
{
"@id": "d3f:OTDeviceManagementMessageEvent"
},
{
"@id": "_:N667fb9f43be944809ef2ae94cc54b80a"
}
]
},
{
"@id": "_:N667fb9f43be944809ef2ae94cc54b80a",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:OTTimeCommand"
}
},
{
"@id": "d3f:CWE-184",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-184",
"d3f:definition": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.",
"d3f:synonym": [
"Blacklist / Black List",
"Blocklist / Block List",
"Denylist / Deny List"
],
"rdfs:label": "Incomplete List of Disallowed Inputs",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-1023"
},
{
"@id": "d3f:CWE-693"
}
]
},
{
"@id": "d3f:may-be-deceived-by",
"@type": "owl:ObjectProperty",
"d3f:pref-label": "may be deceived by",
"owl:inverseOf": {
"@id": "d3f:may-deceive"
},
"rdfs:label": "may-be-deceived-by",
"rdfs:subPropertyOf": {
"@id": "d3f:attack-may-be-countered-by"
}
},
{
"@id": "d3f:CredentialHardening",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:CredentialHardening"
],
"d3f:d3fend-id": "D3-CH",
"d3f:definition": "Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.",
"d3f:enables": {
"@id": "d3f:Harden"
},
"d3f:hardens": {
"@id": "d3f:Credential"
},
"rdfs:label": "Credential Hardening",
"rdfs:subClassOf": [
{
"@id": "d3f:DefensiveTechnique"
},
{
"@id": "_:Nc1c2dcd0b5db4749a49277b273579efe"
},
{
"@id": "_:Nba038ea7d6a546a4a6c75bd9f6fc3879"
}
]
},
{
"@id": "_:Nc1c2dcd0b5db4749a49277b273579efe",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:enables"
},
"owl:someValuesFrom": {
"@id": "d3f:Harden"
}
},
{
"@id": "_:Nba038ea7d6a546a4a6c75bd9f6fc3879",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:hardens"
},
"owl:someValuesFrom": {
"@id": "d3f:Credential"
}
},
{
"@id": "d3f:T1602.001",
"@type": "owl:Class",
"d3f:attack-id": "T1602.001",
"d3f:definition": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).",
"rdfs:label": "SNMP (MIB Dump)",
"rdfs:subClassOf": {
"@id": "d3f:T1602"
}
},
{
"@id": "d3f:Reference-CManualIntegerInitialization_GNU",
"@type": [
"owl:NamedIndividual",
"d3f:UserManualReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.gnu.org/software/gnu-c-manual/gnu-c-manual.html#Integer-Types"
},
"d3f:kb-organization": "GNU",
"d3f:kb-reference-of": {
"@id": "d3f:VariableInitialization"
},
"d3f:kb-reference-title": "Integer Initialization in C",
"rdfs:label": "Reference - Integer Initialization - GNU C Manual"
},
{
"@id": "d3f:Reference-MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US20150264083A1"
},
"d3f:kb-abstract": "A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators.",
"d3f:kb-author": "Ryan James PRENGER; Nicolas BEAUCHESNE; Karl Matthew LYNN",
"d3f:kb-mitre-analysis": "This patent describes a technique for detecting relay networks, i.e. an attacker outside of the organization's network takes control of an internal host to be used as a source of attacks against other internal targets or exfiltrate data out of the organization. In this defensive technique, metadata from collected network packet captures is extracted to categorize network sessions using known relay behaviors. Information such as the number of bytes sent to and from a potential internal relay host, time of session initiation, packet contents, packet size, flow direction, and packet arrival time statistics are used to categorize the sessions and identify relay behavior. This technique assumes that relay network connections' inter-packet arrival times exhibit a high degree of variance in comparison to standard client-to-server connections. If enough evidence of relay behavior is gathered about a given internal host, the host is identified as suspicious and an alert is generated.",
"d3f:kb-organization": "VECTRA NETWORKS Inc",
"d3f:kb-reference-of": {
"@id": "d3f:RelayPatternAnalysis"
},
"d3f:kb-reference-title": "Malicious relay detection on networks",
"rdfs:label": "Reference - Malicious relay detection on networks - VECTRA NETWORKS Inc"
},
{
"@id": "d3f:T1574.010",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:attack-id": "T1574.010",
"d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.",
"d3f:modifies": {
"@id": "d3f:ServiceApplication"
},
"rdfs:label": "Services File Permissions Weakness",
"rdfs:subClassOf": [
{
"@id": "d3f:T1574"
},
{
"@id": "_:Ne2c93b6b4e4f4f71acd91c98f5918b4c"
}
],
"skos:altLabel": "Service Registry Permissions Weakness"
},
{
"@id": "_:Ne2c93b6b4e4f4f71acd91c98f5918b4c",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:ServiceApplication"
}
},
{
"@id": "d3f:NTPEvent",
"@type": "owl:Class",
"d3f:definition": "An event involving the Network Time Protocol (NTP), a protocol designed to synchronize the clocks of computer systems over packet-switched, variable-latency data networks, UDP as its transport protocol.",
"rdfs:label": "NTP Event",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/1.3.0/classes/ntp_activity"
},
"rdfs:subClassOf": [
{
"@id": "d3f:ApplicationLayerEvent"
},
{
"@id": "d3f:UDPEvent"
},
{
"@id": "_:Nf6e7aee23b9a4d7b8c43bac07cd9eed4"
}
]
},
{
"@id": "_:Nf6e7aee23b9a4d7b8c43bac07cd9eed4",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkTimeServer"
}
},
{
"@id": "d3f:Reference-Entrust-What-Is-Token-Based-Authentication",
"@type": [
"owl:NamedIndividual",
"d3f:InternetArticleReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://www.entrust.com/resources/learn/what-is-token-based-authentication"
},
"d3f:kb-abstract": "Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials.",
"d3f:kb-organization": "Entrust",
"d3f:kb-reference-of": {
"@id": "d3f:Token-basedAuthentication"
},
"d3f:kb-reference-title": "Identity Providers: What is Token Based Authentication",
"rdfs:label": "Reference - Identity Providers: What is Token Based Authentication"
},
{
"@id": "d3f:CCI-000831_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": [
{
"@id": "d3f:CredentialEviction"
},
{
"@id": "d3f:ProcessEviction"
}
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-18T00:00:00"
},
"rdfs:label": "CCI-000831"
},
{
"@id": "d3f:UseCaseGoal",
"@type": "owl:Class",
"rdfs:label": "Use Case Goal",
"rdfs:subClassOf": {
"@id": "d3f:Goal"
}
},
{
"@id": "d3f:CWE-337",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-337",
"d3f:definition": "A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.",
"rdfs:label": "Predictable Seed in Pseudo-Random Number Generator (PRNG)",
"rdfs:subClassOf": {
"@id": "d3f:CWE-335"
}
},
{
"@id": "d3f:CWE-478",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-478",
"d3f:definition": "The code does not have a default case in an expression with multiple conditions, such as a switch statement.",
"rdfs:label": "Missing Default Case in Multiple Condition Expression",
"rdfs:subClassOf": {
"@id": "d3f:CWE-1023"
}
},
{
"@id": "d3f:CreateProcess",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": [
"A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn.",
"Creates a process.",
"Executes a process."
],
"d3f:executes": {
"@id": "d3f:Process"
},
"rdfs:label": "Create Process",
"rdfs:seeAlso": [
{
"@id": "dbr:Fork%E2%80%93exec"
},
{
"@id": "dbr:Spawn_(computing)"
},
{
"@id": "https://dbpedia.org/page/Fork%E2%80%93exec"
},
{
"@id": "https://dbpedia.org/page/Spawn_(computing)"
},
{
"@id": "https://docs.microsoft.com/en-us/windows/win32/procthread/creating-processes"
},
{
"@id": "https://learn.microsoft.com/en-us/windows/win32/procthread/creating-processes"
}
],
"rdfs:subClassOf": [
{
"@id": "d3f:SystemCall"
},
{
"@id": "_:Nbd29efb8cd40481080646a1fb83f5794"
}
],
"skos:altLabel": [
"Execute Process",
"Process Spawn",
"Spawn Process"
]
},
{
"@id": "_:Nbd29efb8cd40481080646a1fb83f5794",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:executes"
},
"owl:someValuesFrom": {
"@id": "d3f:Process"
}
},
{
"@id": "d3f:CWE-1326",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1326",
"d3f:definition": "A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.",
"rdfs:label": "Missing Immutable Root of Trust in Hardware",
"rdfs:subClassOf": {
"@id": "d3f:CWE-693"
}
},
{
"@id": "d3f:T1584.007",
"@type": "owl:Class",
"d3f:attack-id": "T1584.007",
"d3f:definition": "Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.",
"rdfs:label": "Serverless",
"rdfs:subClassOf": {
"@id": "d3f:T1584"
}
},
{
"@id": "d3f:T1590.001",
"@type": "owl:Class",
"d3f:attack-id": "T1590.001",
"d3f:definition": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.",
"rdfs:label": "Domain Properties",
"rdfs:subClassOf": {
"@id": "d3f:T1590"
}
},
{
"@id": "d3f:Reference-CAR-2021-05-005%3ABITSAdminDownloadFile_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2021-05-005/"
},
"d3f:kb-abstract": "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from bitsadmin.exe, but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS. It’s important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessSpawnAnalysis"
},
"d3f:kb-reference-title": "CAR-2021-05-005: BITSAdmin Download File",
"rdfs:label": "Reference - CAR-2021-05-005: BITSAdmin Download File - MITRE"
},
{
"@id": "d3f:CWE-266",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-266",
"d3f:definition": "A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.",
"rdfs:label": "Incorrect Privilege Assignment",
"rdfs:subClassOf": {
"@id": "d3f:CWE-269"
}
},
{
"@id": "d3f:HierarchicalClustering",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-HC",
"d3f:definition": "Hierarchical clustering (also called hierarchical cluster analysis or HCA) is a method of cluster analysis that seeks to build a hierarchy of clusters.",
"d3f:kb-article": "## References\nWikipedia. (2021, August 10). Hierarchical clustering. [Link](https://en.wikipedia.org/wiki/Hierarchical_clustering)\nhtml)",
"rdfs:label": "Hierarchical Clustering",
"rdfs:subClassOf": {
"@id": "d3f:ClusterAnalysis"
}
},
{
"@id": "d3f:CCI-001127_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:broader": {
"@id": "d3f:EncryptedTunnels"
},
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system protects the integrity of transmitted information.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001127"
},
{
"@id": "d3f:Reference-QuickExecutionOfASeriesOfSuspiciousCommands_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2013-04-002/"
},
"d3f:kb-abstract": "Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.",
"d3f:kb-author": "MITRE",
"d3f:kb-mitre-analysis": "",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:ProcessLineageAnalysis"
},
"d3f:kb-reference-title": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
"rdfs:label": "Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE"
},
{
"@id": "d3f:POSIXSymbolicLink",
"@type": "owl:Class",
"d3f:definition": "A POSIX-compliant symbolic link. These are often fast symbolic links, but need not be.",
"rdfs:isDefinedBy": {
"@id": "dbr:Symbolic_link"
},
"rdfs:label": "POSIX Symbolic Link",
"rdfs:subClassOf": [
{
"@id": "d3f:SymbolicLink"
},
{
"@id": "d3f:UnixLink"
}
]
},
{
"@id": "d3f:RemoveUserFromGroupEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a user is removed from a group, revoking the permissions and privileges associated with the group from the user.",
"rdfs:label": "Remove User from Group Event",
"rdfs:subClassOf": [
{
"@id": "d3f:GroupManagementEvent"
},
{
"@id": "_:Nb6e8af537f4c4a108e0b3335a672190b"
},
{
"@id": "_:N6212a9a00abf493b92e04a7b8e9b069f"
}
]
},
{
"@id": "_:Nb6e8af537f4c4a108e0b3335a672190b",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:has-participant"
},
"owl:someValuesFrom": {
"@id": "d3f:UserAccount"
}
},
{
"@id": "_:N6212a9a00abf493b92e04a7b8e9b069f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:AddUserToGroupEvent"
}
},
{
"@id": "d3f:CycleGAN",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-CYC",
"d3f:definition": "The Cycle Generative Adversarial Network (CycleGAN) is an approach to training a deep convolutional neural network for image-to-image translation tasks by mapping between input and output images using unpaired dataset.",
"d3f:kb-article": "## References\nEsri. (n.d.). How CycleGAN Works. [Link](https://developers.arcgis.com/python/guide/how-cyclegan-works/)",
"rdfs:label": "CycleGAN",
"rdfs:subClassOf": {
"@id": "d3f:Image-to-ImageTranslationGAN"
}
},
{
"@id": "d3f:CCI-000192_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The information system enforces password complexity by the minimum number of upper case characters used.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:StrongPasswordPolicy"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-15T00:00:00"
},
"rdfs:label": "CCI-000192"
},
{
"@id": "d3f:T1192",
"@type": "owl:Class",
"d3f:attack-id": "T1192",
"d3f:definition": "Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.",
"owl:deprecated": true,
"rdfs:comment": "This technique has been revoked by T1566.002",
"rdfs:label": "Spearphishing Link",
"rdfs:seeAlso": "T1566.002",
"rdfs:subClassOf": {
"@id": "d3f:InitialAccessTechnique"
}
},
{
"@id": "d3f:signed-by",
"@type": "owl:ObjectProperty",
"d3f:definition": "x signed-by y: The digital artifact x includes a signature generated by the entity y, certifying the authenticity and integrity of x. This relationship indicates that x has undergone a validation process by y, using cryptographic measures to ensure that x is trustworthy and unaltered since the signing by y.",
"owl:inverseOf": {
"@id": "d3f:signs"
},
"rdfs:label": "signed-by",
"rdfs:subPropertyOf": {
"@id": "d3f:validated-by"
}
},
{
"@id": "d3f:CWE-1385",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1385",
"d3f:definition": "The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.",
"d3f:synonym": "Cross-Site WebSocket hijacking (CSWSH)",
"rdfs:label": "Missing Origin Validation in WebSockets",
"rdfs:subClassOf": {
"@id": "d3f:CWE-346"
}
},
{
"@id": "d3f:CCI-001145_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": [
{
"@id": "d3f:DiskEncryption"
},
{
"@id": "d3f:FileEncryption"
}
],
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-21T00:00:00"
},
"rdfs:label": "CCI-001145"
},
{
"@id": "d3f:T1609",
"@type": "owl:Class",
"d3f:attack-id": "T1609",
"d3f:definition": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)",
"rdfs:label": "Container Administration Command",
"rdfs:subClassOf": {
"@id": "d3f:ExecutionTechnique"
}
},
{
"@id": "d3f:NetworkConnectionCloseEvent",
"@type": "owl:Class",
"d3f:definition": "An event where a network connection is closed.",
"rdfs:label": "Network Connection Close Event",
"rdfs:subClassOf": [
{
"@id": "d3f:NetworkConnectionEvent"
},
{
"@id": "_:Nc67e29d5e8924afca76dc1e98efde0ab"
}
]
},
{
"@id": "_:Nc67e29d5e8924afca76dc1e98efde0ab",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:preceded-by"
},
"owl:someValuesFrom": {
"@id": "d3f:NetworkConnectionOpenEvent"
}
},
{
"@id": "d3f:NIST_SP_800-53_R5_SC-2_1",
"@type": [
"owl:NamedIndividual",
"d3f:NISTControl"
],
"d3f:control-name": "Separation of System and User Functionality | Interfaces for Non-privileged Users",
"d3f:member-of": {
"@id": "d3f:NIST_SP_800-53_R5"
},
"d3f:narrower": [
{
"@id": "d3f:LocalFilePermissions"
},
{
"@id": "d3f:SystemConfigurationPermissions"
}
],
"rdfs:label": "SC-2(1)"
},
{
"@id": "d3f:Reference-LeverageSecurityFrameworksLibraries_OWASP",
"@type": [
"owl:NamedIndividual",
"d3f:GuidelineReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://top10proactive.owasp.org/archive/2018/c2-leverage-security-frameworks-libraries/"
},
"d3f:kb-organization": "OWASP",
"d3f:kb-reference-of": {
"@id": "d3f:TrustedLibrary"
},
"d3f:kb-reference-title": "Leverage Security Frameworks and Libraries",
"rdfs:label": "Reference - Leverage Security Frameworks and Libraries - OWASP"
},
{
"@id": "d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem",
"@type": [
"owl:NamedIndividual",
"d3f:PatentReference"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://patents.google.com/patent/US7308712B2"
},
"d3f:kb-abstract": "A system and process for addressing computer security vulnerabilities. The system and process generally comprise aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address the computer vulnerabilities; and deploying said remediation signature to a client computer. The remediation signature essentially comprises a sequence of actions to address a corresponding vulnerability. A managed automated approach to the process is contemplated in which the system is capable of selective deployment of remediation signatures; selective resolution of vulnerabilities; scheduled deployment of remediation signatures; and scheduled scanning of client computers for vulnerabilities.",
"d3f:kb-author": "Carl E. Banzhof",
"d3f:kb-organization": "McAfee LLC",
"d3f:kb-reference-of": {
"@id": "d3f:AssetVulnerabilityEnumeration"
},
"d3f:kb-reference-title": "Automated computer vulnerability resolution system",
"rdfs:label": "Reference - Automated computer vulnerability resolution system"
},
{
"@id": "d3f:ContentModification",
"@type": [
"owl:Class",
"owl:NamedIndividual",
"d3f:ContentModification"
],
"d3f:d3fend-id": "D3-CM",
"d3f:definition": "Modify content that does not comply with policy.",
"d3f:filters": [
{
"@id": "d3f:DigitalMedia"
},
{
"@id": "d3f:FileContentBlock"
},
{
"@id": "d3f:FileMetadata"
}
],
"d3f:kb-article": "## How it works\n\nWhen content is found to not comply with it's content policy, it may be transformed to a safer state by modifying it.",
"d3f:kb-reference": {
"@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
},
"d3f:modifies": {
"@id": "d3f:File"
},
"rdfs:label": "Content Modification",
"rdfs:subClassOf": [
{
"@id": "d3f:ContentFiltering"
},
{
"@id": "_:N53bc817652994c51b50500362219d1ce"
},
{
"@id": "_:N98234b2d77ce4f47af117d07571f7f18"
},
{
"@id": "_:Nd42f2e524684482ca1f02cc5c1fee396"
},
{
"@id": "_:N5953798ba04549df9a1ccca913008e4f"
}
]
},
{
"@id": "_:N53bc817652994c51b50500362219d1ce",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:DigitalMedia"
}
},
{
"@id": "_:N98234b2d77ce4f47af117d07571f7f18",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:FileContentBlock"
}
},
{
"@id": "_:Nd42f2e524684482ca1f02cc5c1fee396",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:filters"
},
"owl:someValuesFrom": {
"@id": "d3f:FileMetadata"
}
},
{
"@id": "_:N5953798ba04549df9a1ccca913008e4f",
"@type": "owl:Restriction",
"owl:onProperty": {
"@id": "d3f:modifies"
},
"owl:someValuesFrom": {
"@id": "d3f:File"
}
},
{
"@id": "d3f:CCI-000880_v2022-04-05",
"@type": [
"owl:NamedIndividual",
"d3f:CCIControl"
],
"d3f:contributor": {
"@id": "d3f:DISA_FSO"
},
"d3f:definition": "The organization audits non-local maintenance and diagnostic sessions.",
"d3f:member-of": {
"@id": "d3f:CCICatalog_v2022-04-05"
},
"d3f:narrower": {
"@id": "d3f:OperatingSystemMonitoring"
},
"d3f:published": {
"@type": "xsd:dateTime",
"@value": "2009-09-18T00:00:00"
},
"rdfs:label": "CCI-000880"
},
{
"@id": "d3f:kb-author",
"@type": "owl:AnnotationProperty",
"d3f:definition": "x kb-author y: The reference x has some author y.",
"rdfs:domain": {
"@id": "d3f:TechniqueReference"
},
"rdfs:label": "kb-author",
"rdfs:range": {
"@id": "xsd:string"
},
"rdfs:subPropertyOf": {
"@id": "d3f:d3fend-kb-reference-annotation"
}
},
{
"@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE",
"@type": [
"owl:NamedIndividual",
"d3f:ExternalKnowledgeBase"
],
"d3f:has-link": {
"@type": "xsd:anyURI",
"@value": "https://car.mitre.org/analytics/CAR-2020-11-001/"
},
"d3f:kb-abstract": "Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.",
"d3f:kb-author": "MITRE",
"d3f:kb-organization": "MITRE",
"d3f:kb-reference-of": {
"@id": "d3f:SystemInitConfigAnalysis"
},
"d3f:kb-reference-title": "CAR-2020-11-001: Boot or Logon Initialization Scripts",
"rdfs:label": "Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE"
},
{
"@id": "d3f:CWE-340",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-340",
"d3f:definition": "The product uses a scheme that generates numbers or identifiers that are more predictable than required.",
"rdfs:label": "Generation of Predictable Numbers or Identifiers",
"rdfs:subClassOf": {
"@id": "d3f:CWE-330"
}
},
{
"@id": "d3f:CWE-1283",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-1283",
"d3f:definition": "The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.",
"rdfs:label": "Mutable Attestation or Measurement Reporting Data",
"rdfs:subClassOf": {
"@id": "d3f:CWE-284"
}
},
{
"@id": "d3f:CWE-652",
"@type": "owl:Class",
"d3f:cwe-id": "CWE-652",
"d3f:definition": "The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.",
"rdfs:label": "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",
"rdfs:subClassOf": [
{
"@id": "d3f:CWE-91"
},
{
"@id": "d3f:CWE-943"
}
]
},
{
"@id": "d3f:DS0028",
"@type": [
"owl:NamedIndividual",
"d3f:ATTACKEnterpriseDataSource"
],
"d3f:broader": {
"@id": "d3f:LoginSession"
},
"d3f:definition": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization",
"rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Login Session Metadata component",
"rdfs:label": "Logon Session (ATT&CK DS)"
},
{
"@id": "d3f:HardwareDevice",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:definition": "Hardware devices are the physical artifacts that constitute a network or computer system. Hardware devices are the physical parts or components of a computer, such as the monitor, keyboard, computer data storage, hard disk drive (HDD), graphic cards, sound cards, memory (RAM), motherboard, and so on, all of which are tangible physical objects. By contrast, software is instructions that can be stored and run by hardware. Hardware is directed by the software to execute any command or instruction. A combination of hardware and software forms a usable computing system.",
"rdfs:isDefinedBy": {
"@id": "dbr:Computer_hardware"
},
"rdfs:label": "Hardware Device",
"rdfs:seeAlso": {
"@id": "https://schema.ocsf.io/objects/device_hw_info"
},
"rdfs:subClassOf": [
{
"@id": "d3f:DigitalInformationBearer"
},
{
"@id": "d3f:PhysicalArtifact"
}
]
},
{
"@id": "d3f:DecisionTree",
"@type": [
"owl:Class",
"owl:NamedIndividual"
],
"d3f:d3fend-id": "D3A-DT",
"d3f:definition": "Decision tree learning is a supervised learning approach used in statistics, data mining, and machine learning. In this formalism, a classification or regression decision tree is used as a predictive model to draw conclusions about a set of observations.",
"d3f:kb-article": "## How it works\n\nA decision tree starts with a root node, which does not have any incoming branches. The outgoing branches from the root node then feed into the internal nodes, also known as decision nodes. Based on the available features, both node types conduct evaluations to form homogenous subsets, which are denoted by leaf nodes, or terminal nodes. The leaf nodes represent all the possible outcomes within the dataset.\n\n## Considerations\n\nWhile the basic underlying model is that of a decision tree, the decision tree node criteria, and the method for identifying splits varies significantly depending on the learning algorithm selected (e.g., CART, ID3, C4.5, C5.0, CHAID, MARS.) Extensions like linear and logistic trees can add additional expressiveness as well.\n\n## Key Test Considerations\n\n- **Machine Learning**:\n\n - **Verify the dataset quality**: Check the data to make sure it is\n free of errors. Quantify the degree of missing values,\n outliers, and noise in the data collection. If the data quality\n is low, it may be difficult or impossible to create models and\n systems with the desired performance.\n\n - **Verify development datasets are representative**: of expected\n operational environment and data collection means. Compare\n distributions of dataset features and labels with exploratory\n data analysis and assess the difference in tests on training\n data and tests on evaluation data (where the evaluation data\n must be drawn from a representative dataset.)\n\n - **Use a variety of data sets**: where available and applicable, to\n reflect different operating and environment conditions that are\n likley to be be encountered.\n\n - **Use software libraries**: and tools built for ML where possible, so\n that the underlying code is verified by prior use.**\n\n - **Diagnose model errors with domain SMEs**: Have problem domain\n SMEs investigate model errors for conditions for which the model\n may underperform and suggest refinements.\n\n- **Classification**:\n\n - **Use Standard Classification Performance Measures**: Not all of\n the following may be necessary, but should be considered for\n both verification (developmental test) and operational test\n stages use:\n\n - **Accuracy**: The fraction of predictions that were corret.\n\n - **Precision**: The proportion of positive identifications that were correct.\n\n - **Recall**: The proportion of actual positive cases identified correctly.\n\n - **F-Measure**: Combines the preicion and recall into a single\n score. It is the harmonic mean of the precision and recall.\n\n - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve\n shows the performance of a classification model at all\n classification thresholds. It graphs the True Positive Rate\n over the False Positive Rate.\n\n - **Area Under the ROC Curve (AUC)**: This measures the\n two-dimensional area under the ROC Curve. AUC is\n scale-invariant and classification-threshold invariant.\n\n - **ROC TP vs FP points**: In addition to a specific AUC score,\n the performance at points\n\n - **Confusion Matrix**: A confusion matrix is a table layout that\n allows the visualization of the performance of an\n algorithm. Each row of the matrix represents the instances in\n an actual class while each column represents the instances in\n a predicted class, or vice versa. It is a special kind of\n contingency table, with two dimensions (\"actual\" and\n \"predicted\"), and identical sets of \"classes\" in both\n dimensions (each combination of dimension and class is a\n variable in the contingency table.)\n\n - **Prediction Bias**: The difference between the average of the\n predicted labels and the average of the labels in the data\n set. One should check for prediction bias when evaluating the\n classifier's results. Causes of bias can include:\n\n - **Noisy data set**: Errors in original data can as the\n collection method may have an underlying bias.\n\n - **Processing bug**: Errors in the data pipeline can\n introduce bias.\n\n - **Biased training sample (unbalanced samples)**: Model\n parameters may be skewed towards majority classes.\n\n - **Overly strong regularization**: Model may be underfitting\n model and too simple.\n\n - **Proxy variables**: Model features may be highly\n correlated.\n\n- **Supervised Learning**:\n\n - **Overfitting and Underfitting**: Overfitting occurs when the the\n model built corresponds too closely or exactly to a particular\n set of data, and thus may fail to fit to predict additional data\n reliably. An overfitted model is a mathematical model that\n contains more parameters than can be justified by the data.\n Underfitting occurs when the model built does adequately capture\n the patterns in the data. As an example, a linear model will\n underfit a non-linear dataset.\n\n - **Sensitivity**: Perform N-fold Cross validation to indicate how\n much sensitivity the algorithm has to data variation and to avoid\n overfitting operational models.\n\n- **Decision Tree Learning**:\n\n - **Sensitive to unbalanced classes**: Examine and determine target\n class balance; decision tree learning algorithms are especially\n sensitive to unbalanced target classes.\n\n - **Consider decision boundaries**: Perform exploratory data\n analysis to determine if decision boundaries lie alongaxes of\n features. _Decision trees are ideal when decision boundaries can\n be found that lie along axes of features._\n\n - **Decision tree overfitting** may require tuning algorithm hyperparameters such as tree depth, max features used, max leaf nodes, etc.\n\n - **Pruning** may result in a more robust model in real-word applications.\n\n - **Missing values**: Inspect the data set to determine if there\n are missing values and select a means to address them, either by\n choosing an algorithm that works well or a way to impute the\n value or eliminate the missing values in the data sensors or\n pipeline.\n\n## Platforms, Tools, or Libraries\n\n- **scikit-learn**: includes tree algorithms for ID3, C4.5, C5.0, and CART.\n\n- **Weka**: includes J48 (C4.5), SimpleCart (CART), Logistic Model Trees, Naive Bayes Trees, and more.\n\n### Validation Approach\n- Use operationally relevant data across the range of application's operating environment.\n- Incorporate some kind of continuous validation to address concept drift and the need to retrain the model and/or check data quality.\n\n## References\n1. Decision tree learning. (2023, May 30). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Decision_tree_learning).\n2. Decision Trees. (n.d.). In _scikit-learn User Guide 1.2.2_. [Link](https://scikit-learn.org/stable/modules/tree.html).\n3. Concept drift. (2023, April 17). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Concept_drift).\n4. 8 Concept Drift Detection Methods. (n.d.). In _Aporia Learning Center_. [Link](https://www.aporia.com/learn/data-drift/concept-drift-detection-methods/).",
"rdfs:label": "Decision Tree",
"rdfs:subClassOf": {
"@id": "d3f:Classification"
}
},
{
"@id": "d3f:T1027.017",
"@type": "owl:Class",
"d3f:attack-id": "T1027.017",
"d3f:definition": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `